发表新帖

发表新帖

PHP intval() weird results

前端未结

关注

 5  1146

无人及你 2020-12-20 06:26

I\'m encountering something weird and I don\'t know why it is happening!

I have a URL like:

http://mysite.com/users/USER_ID

this user id

5条回答

温柔的废话 (楼主)

2020-12-20 07:12
PHP is really "wired" with so called type-juggling. It is the most error-prone part of most PHP-scripts. As such, you should always stay on the safe side and use the most robust check. For example intval("twelve") will return 0, which is a valid integer. But also considered "false": print if (intval("one")) ? "yup" : "nope" will print "nope".

In this case, using intval, in combination with a check if the integer is larger then zero, should do the trick:
```
 0){
  // The column which I should look into is id
  $column = 'id';
}else{
  // The column which I should look into is page_name
  $column = 'page_name';
}

$query = mysql_qyery(SELECT * FROM members WHERE $column = '$id');
?>
```
Or, shorter:
```
$id = intval($_GET['id']);

$column = ($id > 0) ? "id" : "page_name";
$query = mysql_qyery(SELECT * FROM members WHERE $column = '$id');
```
Aso note that $_GET["id"] might not be set, which would throw a notice in your code.

And last, but certainly not least: the SQL-injection: ?id=LittleBobby';Drop table users.

edit As commentor points out, there was a logical flaw in my code, stemming form the fact I tested it in phpsh only. I refactored it from using is_int() to intval and > 0. In a web-environment, $_GET["id"] is always a string; no matter what. Hence is_int() will always return FALSE.
0 讨论(0)

查看其它5个回答
发布评论:

提交评论
- 加载中...

热议问题