[wp-hackers] Re: Don't treat a numeric user name as an id.

Nikolay Bachiyski nbachiyski at developer.bg
Fri Dec 16 13:43:00 GMT 2005

Scott Merrill wrote:
> Nikolay Bachiyski wrote:
>>m at wordpress.org wrote:
>>>-        if ( is_numeric($id) ) {
>>>-            $this->data = get_userdata($id);
>>>-        } else {
>>>-            $this->data = get_userdatabylogin($id);
>>>+        if ( ! is_numeric($id) ) {
>>>+            $name = $id;
>>>+            $id = 0;
>>>         }
>>is_numeric tests if the string is numeric, which allows negative or
>>float  numbers to be used as an id. For example -666.66e8 is a valid
>>Wouldn't it be better if also intval is used. It returns 0 if the string
>>is not a valid integer. We just have to check whether intval($id) is
>>greater than zero.
> All form submissions are strings, though, so checking a form submitted
> interger with is_int() will always return false.

I agree.

> http://us2.php.net/is_int:
> "Note:  To test if a variable is a number or a numeric string (such as
> form input, which is always a string), you must use is_numeric()."
> You could use is_numeric(), then strpos a minus sign or a decimal point
> to determine whether its safe to call intval() on the submitted number.
It is always safe to use intval - it works on strings too. Try 


More information about the wp-hackers mailing list