[wp-hackers] Re: Don't treat a numeric user name as an id.
Nikolay Bachiyski
nbachiyski at developer.bg
Fri Dec 16 13:43:00 GMT 2005
Scott Merrill wrote:
> Nikolay Bachiyski wrote:
>
>>m at wordpress.org wrote:
>>
>>>- if ( is_numeric($id) ) {
>>>- $this->data = get_userdata($id);
>>>- } else {
>>>- $this->data = get_userdatabylogin($id);
>>>+ if ( ! is_numeric($id) ) {
>>>+ $name = $id;
>>>+ $id = 0;
>>> }
>>
>>
>>is_numeric tests if the string is numeric, which allows negative or
>>float numbers to be used as an id. For example -666.66e8 is a valid
>>numeric.
>>
>>Wouldn't it be better if also intval is used. It returns 0 if the string
>>is not a valid integer. We just have to check whether intval($id) is
>>greater than zero.
>
>
> All form submissions are strings, though, so checking a form submitted
> interger with is_int() will always return false.
I agree.
>
> http://us2.php.net/is_int:
> "Note: To test if a variable is a number or a numeric string (such as
> form input, which is always a string), you must use is_numeric()."
>
> You could use is_numeric(), then strpos a minus sign or a decimal point
> to determine whether its safe to call intval() on the submitted number.
>
It is always safe to use intval - it works on strings too. Try
intval("666").
Nikolay.
More information about the wp-hackers
mailing list