Best way to verify integers

Forum Moderators: coopster

Message Too Old, No Replies

Best way to verify integers

PHP Security

wfernley

2:54 pm on Nov 15, 2004 (gmt 0)

Hi everyone. I am working on the security aspect of my site. The first thing I am going to work on is verifying a value is numeric. For example, on my site I have www.mysite.com/itemdetails.php?products_id=188. I want to verify that the products_id is 188 and not "Drop Database MYDB;".

I was curious about how I should do this. I had something worked out before that would check to see if it was numeric but people kept complaining they were getting errors because of it.

I was curious what everyone here uses for situations like that. Also, what are other ways I could secure my site? Like Forms, when a user inputs info, that could be one. What others could there be?

Thanks :)

Wes

Netizen

3:08 pm on Nov 15, 2004 (gmt 0)

Hi,

I normally use

if (preg_match("/[^0-9]/",$value)) {
// bail here
}

as in, if there is something not a number of the value then there's trouble brewing.

ukgimp

3:15 pm on Nov 15, 2004 (gmt 0)

[uk2.php.net...]

dreamcatcher

3:57 pm on Nov 15, 2004 (gmt 0)

Or you can use the character class [:digit:]

$username = "0123456789";

if (eregi("^[[:digit:]]+$", $username)
{
return true;
}
else
{
return false;
}

wfernley

4:01 pm on Nov 15, 2004 (gmt 0)

Great Thanks for the replies.

I set it up with:
function id_check($id) {
if (preg_match("/[^0-9]/",$id)) {
return 10;
} else {
return $id;
}
}

I set it up like this so if they do enter a bad id, it will return them with another which is also the most popular id used. Also I set it up so when an error does occur it emails me with the id they entered and their ip. That was easy, now hopefully I don't get a lot of errors like I did before.

Thanks for the replies. :)

What about other ways of securing my site. What have you found to be another important way to protect your database?

Thanks.

Wes

Salsa

6:55 pm on Nov 15, 2004 (gmt 0)

Because your main issue here is security, and the example you gave was "Drop Database MYDB;" be sure to create database users with the most limited privileges necessary for a task. For example, when you are simply displaying Web pages called from your database, the user for that need only have SELECT privileges--and only for the relevant tables--or even columns. Or, for logging stats, the user for that might have only INSERT privileges--and only for the stats tables. That way, even if someone were to lay their hands on those two passwords, they wouldn't be able to do any great harm--and it would drive them nuts in the process of trying! The privilege of dropping a database or permanent table should almost always be reserved for an administrative user, and I wouldn't keep that users password anywhere on the server--even below the root.

[edited by: Salsa at 7:02 pm (utc) on Nov. 15, 2004]

dmorison

6:58 pm on Nov 15, 2004 (gmt 0)

Wes,

The most important aspect of protecting your database is to make sure that any values (even numeric) are quoted within your query and are properly escaped.

The function mysql_escape_string() [uk.php.net] exists to do just that.

wfernley

7:06 pm on Nov 15, 2004 (gmt 0)

Great Thanks.

I have been using quotes for numerical values, I knew it wasn't neccessary but I did anyways, looks like its good I did it. As for privledges I wanted to give the user only SELECT privledges but I can't because of my ISP.

Thanks for the replies.