Ugly browser address bar

Question

A piece of script

<?php $uid = $_GET['uid']; if (!isset($uid)) { er(15); } sec1str($uid);//удаляет теги settype($uid, 'int'); //привести $uid к числовому виду(?) // хотя оно и так работает. пусть будет if ($uid < 1) { // чтобы не мучать бд. // будет выведена ошибка и не будет лишнего обращения к бд er(15); } $q = 'select ..where uid=?'; // работаю с параметризированными запросами.

The “problem” is that when you enter 145ячвап or 17foo4 -эє 07 or 95+* in the address bar, everything works. But the address bar is ugly.

Although it is not even violet to me, but in general there is nothing at all. In addition, I am sure that ordinary users will not enter anything there.

If the line is 17foo4 , then the data obtained by 17 uid will be displayed. I understand why this is happening. This happens because php itself converts (brings) the values of variables to the desired form.

If $ uid is 95+* , data for $ uid == 95 will be displayed.

How can I fix the situation? Or let it be as it is? This is the "problem" sucked from the finger.

The fact that you can isset and <0 check in one if I know.

Visman Visman 16.2k eight 21 52 · Accepted Answer · 2016-05-27T05:51:09

 <?php if (empty($_GET['uid']) || // если переменная не существует или пуста(==0) !is_numeric($_GET['uid']) || // или это не число !preg_match('%^\d+$%', $_GET['uid'])) // или число отрицательное/с плавающей точкой { er(15); } $uid = (int)$_GET['uid']; // в $uid точно положительное целое число ...

Visman

16.2k eight 21 52

Everything! It was enough to write that regular expressions can be used. I have them in the code, but at night I somehow did not think of it. - root_x Povierennyy
! is_numeric does not work! In comments to another answer, I wrote why. - root_x Povierennyy
@root_x Povierennyy, is_numeric works in this example, tested on localhost. Here this function is needed so that the array does not leave the array from $ _GET ['uid'] in the regular expression, if the cunning user sends it to you through the uid . - Visman
Must apologize. I just checked it myself - yes, is_numeric works. And is_int is not working, even if a number is passed on the getu, probably because it checks the type of the variable (I don’t know for sure). BUT if BEFORE is_int to make settype, then even from the wrong line is_int will work. That's why I thought that neither is_numeric nor is_int work as I want. - root_x Povierennyy
BUT if BEFORE is_int to make settype, then even C with the wrong is_int string will work. - root_x Povierennyy

|

cheops 18.1k 9 32 120 · Answer 2 · 2016-05-27T03:19:07

You can tell the user that something abnormal is happening and you decided not to process his request.

 <?php $uid = $_GET['uid']; if (!isset($uid) || !is_numeric($uid) || $uid < 1) { die('bad parametrs'); } else { // code }

is_int is_numeric - do not work, because the $ uid machine is converted to a numeric type.
I first had such a check in the code (even without the settype, the problem was left).
I removed the settype before the line is_numeric and everything became good. :)

root_x Povierennyy root_x Povierennyy 367 3 20 · Answer 3 · 2016-05-27T17:31:20

that's how I did:

 $uid = $_GET['uid']; ;//помнить о собакe if (!isset($uid) || $uid<1 || !preg_match('#^[1-9]+[0-9]*$#', $uid)) { //В конце регулярнка, потому что она долго выполняется er(15); } //sec1str($uid); //settype($uid, 'int'); //привести $uid к числовому виду if (!is_numeric($uid)) { //эта проверка как-бэ уже ненужна, но вставлю ее в if echo 'not int'; exit; } echo 'int'; exit;

You did not do it right;) Before you assign the value of the $uid variable, you need to check if $_GET['uid'] exists at all, otherwise your error log may be clogged with warnings.
:) I always do wrong, just before such a laying I put the dog.
And messages Notice: Undefined index: uid , that is, this message level can be disabled on the server.
Today I will look in php.ini - thanks for reminding me that Notice: is also written to the log.
Just checked: if you remember the dog, then nothing is written to the log itmages.ru/image/view/4325868/032cb952 last 2 lines after adding @ before $ uid = $ _GET ['uid'];

Ugly browser address bar

3 answers 3

More articles: