[Apologies for having accidentally responded to Matt W off-list, and
now bringing it back on-list without asking...]

On Sat, August 12, 2006 2:50 am, Matt W wrote:
> From: "Richard Lynch"
> Sent: Friday, August 11, 2006
>
>
>> Leading whitespace in PHP means that it's not a number, it's a
>> string,
>> and it turns into 0.
>>
>> If you change that, it will break a lot of stuff.
>>
>> Don't.
>>
>> :-)
>
> This is basically what Jochem Mass said, and my reply was:
>
> "Leading whitespace is already allowed with PHP's is_numeric()
> function (and
> corresponding internal one), math operations, etc.  Only when it
> precedes
> .123 or -.123 does the behavior change. :-)"
>
> So with math operations, leading whitespace doesn't cause it (an
> otherwise
> numeric-prefix string) to turn into 0 (and never has), unless the
> first
> character(s) after the whitespace are "." or "-."  Changing this
> specific
> (and rarely, if ever, occuring) scenario shouldn't break stuff... but
> merely
> make it operate the way it should. :-)

But I think you are talking about making changes to the way this works:

http://example.com/?foo=%20.123
<?php
$foo = $_GET['foo'];
if (is_numeric($foo)){
  //error out
}
$query = "something involving '$foo'";
?>

If you break that, you're in big trouble to a lot of scripts all over
the planet, which rely on the leading space to trap their SQL problem.

I never actually use is_numeric, and would expect it to follow the
same "rules" as PHP's internal type-juggling mechanism.

I believe leading spaces should NOT be allowed for type-juggling, not
is_numeric, because GET/POST/COOKIE data should be subject to the most
stringent constraints reasonable to avoid security injections.

I really think the community is best served by K.I.S.S. which means
is_numeric should follow the same "rules" as type-juggling, so that
the programmer is not confused by which does what, and that those
rules for what constitutes is_numeric() should not have leading (or
trailing) spaces.

There is also a paradigm of only specifically allowing what "should
be" valid for a validity/security check on data constraints.

While I don't think leading/trailing spaces are likely to constitute a
Security Issue, there is a Principle at work that I think should be
applied.

Surely is_numeric(trim($foo)) is the right answer for the programmer
who specifically wants to allow spaces.

The fact that PHP even allows leading spaces for this is what I would
consider a bug:
<?php
$foo = ' 123';
$bar = (int) $foo;
echo "bar: $bar";
?>

EXPECTED OUTPUT:
bar:

ACTUAL OUTPUT:
bar: 123

I understand the argument that this buggy behaviour is inconsistent
with ' .123' and ' -.123' but would counter that the bug is in
allowing the leading spaces, and is not best addressed by making it
consistently buggy.

jmho

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to