Welcome Guest, Not a member yet? Register   Sign In
Best way to solve unwanted uri characters.
#1

[eluser]eedfwChris[/eluser]
Basically I have something like...

/view/2

where 2 is the id of some article.

What is the best way to prevent people from typing say... "e" in there and generating a SQL error?
#2

[eluser]sophistry[/eluser]
um...
Code:
if ($id ===2)
{
//do sql
}
#3

[eluser]BravoAlpha[/eluser]
Cast the id string to an integer? PHP Manual: Type Juggling
#4

[eluser]eedfwChris[/eluser]
[quote author="sophistry" date="1186625865"]um...
Code:
if ($id ===2)
{
//do sql
}
[/quote]

Uh... ANY number... not just 2...

[quote author="BravoAlpha" date="1186628265"]Cast the id string to an integer? PHP Manual: Type Juggling[/quote]

I just want it to err out if it's anything but an integer.

There isn't some sort of validation that I do with codeigniter specifically for URI segments? In theory I could do something like:
Code:
if (is_numeric($id))
{
// sql
}
#5

[eluser]sophistry[/eluser]
there you go. you answered your own question. nicely done. :-)

btw, there is no special CI validation on URI segments.

that is one of the main things to learn when using CI - don't forget about PHP. CI helps you but there is still the whole entire set of PHP functions available to you at any moment.

good luck and let us know how you do going forward.
#6

[eluser]Michael Wales[/eluser]
I am assuming this ID is referencing an ID within a table - therefore, you don't just want to determine if it's numeric and allow it to run.

In the model that is returning data for this controller - have it checks the num_rows() and return FALSE if it's 0, then plan accordingly within your controller.

This way, someone can't pass /view/29834798327493249873294798324783274082378047 and your site go "WTF!?"
#7

[eluser]座頭市[/eluser]
The ctype functions are your friends.

Code:
if (!ctype_digit($foo)) {
   $msg = 'Exactly what are you trying to pull?';
   show_error($msg);
   exit;
}

/*
| Rest of code here...
*/
#8

[eluser]mipa[/eluser]
Or you could always use regular expressions:

Code:
if (preg_match('/^[0-9]{1,2}$/', $param)) {
  // do something
}
#9

[eluser]eedfwChris[/eluser]
[quote author="walesmd" date="1186639647"]I am assuming this ID is referencing an ID within a table - therefore, you don't just want to determine if it's numeric and allow it to run.

In the model that is returning data for this controller - have it checks the num_rows() and return FALSE if it's 0, then plan accordingly within your controller.

This way, someone can't pass /view/29834798327493249873294798324783274082378047 and your site go "WTF!?"[/quote]

Yea, my problem was when you type in a non numeric character like "e" in my example the query would go "WTF!?" because I am not quoting it in the query (as I am comparing an integer not a string).

Anyhoo, thanks guys! I will be using ctype_digit... This solves the decimal problem I was thinking by using is_numeric.




Theme © iAndrew 2016 - Forum software by © MyBB