By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
428,853 Members | 2,186 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 428,853 IT Pros & Developers. It's quick & easy.

strval $_REQUEST

P: n/a
I have seen some code like
$value = strval($REQUEST['value']);

I would like to know what is the use of strval here since $_REQUEST
values are strings?

May 16 '07 #1
Share this Question
Share on Google+
11 Replies


P: n/a
jm***@fastermail.com wrote:
I have seen some code like
$value = strval($REQUEST['value']);

I would like to know what is the use of strval here since $_REQUEST
values are strings?
Hi,

$_REQUEST values might as well contain arrays.

Consider this form:
<form action="test.php" Method="POST">
<input type="checkbox" name="bla[]" value="1">1<br>
<input type="checkbox" name="bla[]" value="2">2<br>
<input type="checkbox" name="bla[]" value="3">3<br>
</form>

When receiving $_POST["bla"] it contains an array.

The programmer wanted to make sure it is a string.

Regards,
Erwin Moller

PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.
May 16 '07 #2

P: n/a
At Wed, 16 May 2007 20:17:07 +0200, Erwin Moller let his monkeys type:
jm***@fastermail.com wrote:
>I have seen some code like
$value = strval($REQUEST['value']);

I would like to know what is the use of strval here since $_REQUEST
values are strings?
>
PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.
Erwin, what's wrong with using $_REQUEST instead of $_GET / $_POST ?
Security issue?

Sh.

May 16 '07 #3

P: n/a
I would guess they are just being redundant.
You're right $_REQUEST is a string (most PHP variables are).
So converting a string to a string is pointless.

May 16 '07 #4

P: n/a
On May 16, 1:17 pm, Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
j...@fastermail.com wrote:
I have seen some code like
$value = strval($REQUEST['value']);
I would like to know what is the use of strval here since $_REQUEST
values are strings?

Hi,

$_REQUEST values might as well contain arrays.

Consider this form:
<form action="test.php" Method="POST">
<input type="checkbox" name="bla[]" value="1">1<br>
<input type="checkbox" name="bla[]" value="2">2<br>
<input type="checkbox" name="bla[]" value="3">3<br>
</form>

When receiving $_POST["bla"] it contains an array.

The programmer wanted to make sure it is a string.

Regards,
Erwin Moller

PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.
But as per documentation
http://us.php.net/manual/en/function.strval.php

strval can only be used on scalars
using strval on arrays has no effect.
the programmer should have used is_string if its a string

May 17 '07 #5

P: n/a
On May 16, 3:05 pm, Schraalhans Keukenmeester <inva...@invalid.spam>
wrote:
At Wed, 16 May 2007 20:17:07 +0200, Erwin Moller let his monkeys type:
j...@fastermail.com wrote:
I have seen some code like
$value = strval($REQUEST['value']);
I would like to know what is the use of strval here since $_REQUEST
values are strings?
PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.

Erwin, what's wrong with using $_REQUEST instead of $_GET / $_POST ?
Security issue?

Sh.
This is more similar to a type checking issue and not security.
$_REQUEST can be either a get, a post, or a cookie variable. There are
circumstances where its more convenient to use $_REQUEST, like if you
have to call a certain script using either get or post method.

May 17 '07 #6

P: n/a
jm***@fastermail.com wrote:
On May 16, 3:05 pm, Schraalhans Keukenmeester <inva...@invalid.spam>
wrote:
>At Wed, 16 May 2007 20:17:07 +0200, Erwin Moller let his monkeys type:
j...@fastermail.com wrote:
>I have seen some code like
$value = strval($REQUEST['value']);
>I would like to know what is the use of strval here since $_REQUEST
values are strings?
PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.

Erwin, what's wrong with using $_REQUEST instead of $_GET / $_POST ?
Security issue?

Sh.

This is more similar to a type checking issue and not security.
$_REQUEST can be either a get, a post, or a cookie variable. There are
circumstances where its more convenient to use $_REQUEST, like if you
have to call a certain script using either get or post method.
Yes, excactly what I ment.
A little more elaborated explanation:
Problem with $_REQUEST is that it gets populated (virtually I think) from
POST GET COOKIE.
If you KNOW what you are receiving, use the right array.

And yes, I have been in circumstances in which it was convienient for me to
use $_REQUEST, but not often.

It is more a check for the programmer than a security issue.
A silly example:
I expect from a form-posting the name 'example1', but in the form I wrote
'exmple1'.
If I have a cookie in use named 'example1' or in my URL something like:
http://www.example.com/test.php?example1=45

Then using $_REQUEST will fill retrieve the 'example' name/value pair from
the wrong place.
That is why I advise using the superglobal you KNOW you are using.

SO it is not really a security issue (because everybody should check info
from cookie, get and post anyway), but more a line of protection against
coding/thinking mistakes.

just my 2 cent..

Regards,
Erwin Moller

May 17 '07 #7

P: n/a
jm***@fastermail.com wrote:
On May 16, 1:17 pm, Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
>j...@fastermail.com wrote:
I have seen some code like
$value = strval($REQUEST['value']);
I would like to know what is the use of strval here since $_REQUEST
values are strings?

Hi,

$_REQUEST values might as well contain arrays.

Consider this form:
<form action="test.php" Method="POST">
<input type="checkbox" name="bla[]" value="1">1<br>
<input type="checkbox" name="bla[]" value="2">2<br>
<input type="checkbox" name="bla[]" value="3">3<br>
</form>

When receiving $_POST["bla"] it contains an array.

The programmer wanted to make sure it is a string.

Regards,
Erwin Moller

PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.

But as per documentation
http://us.php.net/manual/en/function.strval.php

strval can only be used on scalars
using strval on arrays has no effect.
the programmer should have used is_string if its a string
good point.
Kind of useless action indeed.

Regards,
Erwin Moller
May 17 '07 #8

P: n/a
On May 16, 1:17 pm, Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
j...@fastermail.com wrote:
I have seen some code like
$value = strval($REQUEST['value']);
I would like to know what is the use of strval here since $_REQUEST
values are strings?

Hi,

$_REQUEST values might as well contain arrays.

Consider this form:
<form action="test.php" Method="POST">
<input type="checkbox" name="bla[]" value="1">1<br>
<input type="checkbox" name="bla[]" value="2">2<br>
<input type="checkbox" name="bla[]" value="3">3<br>
</form>

When receiving $_POST["bla"] it contains an array.

The programmer wanted to make sure it is a string.

Regards,
Erwin Moller

PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.
strval works only on scalar values. Using it on arrays has no effect.
is_string() should be the function to be used to determine if a value
is string. strval just casts values into strings. Casting a string
into a string is meaningless.
There are some instances where $_REQUEST can be more convenient than
using $_POST and $_GET like for example where you have a script that
is called by either get or post method

May 17 '07 #9

P: n/a
SterLo <st***************@gmail.comwrote:
I would guess they are just being redundant.
You're right $_REQUEST is a string (most PHP variables are).
So converting a string to a string is pointless.
As far as I know, $_GET $_POST and $_REQUEST are associative arrays
whose elements can be:

- unset (i.e. undefined)

- a string of arbitrary bytes, ranging from 0 up to max(memory_limit,
post_max_size, some_web_server_limit)

- an array of any combination of strings and arrays of strings with
arbitrary keys.

Consider these examples:

1) www.mysite.com/test.php?a=x%00%01x
$_GET['a'] becomes an unexpected "x%5C0%01x"
(here the string is urlencoded() for readability; note the "0" after "%5C")

2) www.mysite.com/test.php?a[]=xxx
$_GET['a'] becomes array(0=>"xxx")

3) www.mysite.com/test.php?a[one]=xxx&a[1]=yyy
$_GET['a'] becomes array("one"=>"xxx", 1=>"yyy"))
(note the keys "one" and 1)

4) www.mysite.com/test.php?a[3]=xxx&a[2][0]=yyy&a[-1]=zzz
$_GET['a'] becomes array(3=>"xxx", 2=>array(0=>"yyy"), -1=>"zzz")

5) www.mysite.com/test.php
$_GET['a'] is not set

The same holds for the $_POST and $_REQUEST arrays.

If all that involves some security issue or not, it depends on how all these
values are handled by your program. An array can be evaluated as "Array"
when a string is expected, and can be evaluated as 0 if a number is expected.
Some functions of the standard library behave differently depending on the
value they receive, be it a string or an array. Some test for validation
may fail. For example, for the case 3:

strlen($_GET['a']) gives always 5 for any array.

$_GET['a'] + 1 gives 1 for any array

preg_match("/^\\w\$/", $_GET['a']) raises an error and return false

$somearray[ $_GET['a'] ] always select the element of key "Array"

....and so on, with more and more unexpected behaviors and oddities.

The solution: build your own functions/classes that validate and sanitize
every type of input. As a base rule:

A) Most of the received parameters are (should be...) strings. Apply
a (string) type-cast:

$s = (string) $_GET['a'];

then remove control chars and check proper encoding (ISO-..., UTF-8, etc.).

B) <textarea>: as for A, but \t \r and \n should be preserved.

C) Numbers: if a little integer number is expected, apply the (int) type-cast
then check the range:

$i = (int) $_GET['a'];
$i = min( max($i, SOME_MIN), SOME_MAX );

Otherwise, if the number is a monetary value (example: "1,234.99") convert
to string and apply preg_match() with a proper REGEX, something like:

$a = trim( (string) $_POST['a'] );
if( preg_match("/^[0-9]+(,[0-9]{3})*(\\.[0-9]+)?\$/", $a ) === 1 ){
# ok, now remove commas then use BCMath or GMP for calculations
} else {
# BAD
}

D) <select multiple>: more difficult to validate. Check the received array
be actually an array, then copy every value in another array converting
every element to string or to int, depending on the expected type; ignore
duplicated values:

$a = $_POST['a'];
$a_sanitized = array();
if( is_array($a) ){
foreach($a as $v){
$i = (int) $v;
if( array_search($i, $a_sanitized) === FALSE )
$a_sanitized[] = $i;
}
}
# Here: check the values $a_sanitized[] be valid, for example they
# may be compared againts good values saved in the session, or in a
# hidden field protected with HMAC.

Regards,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it

May 17 '07 #10

P: n/a
jmark wrote:
I have seen some code like
$value = strval($REQUEST['value']);

I would like to know what is the use of strval here since $_REQUEST
values are strings?
It may just be for readability -- anyone skimming through the code could
instantly see that $value is intended to be a string, and not, say, an
integer.

--
Toby A Inkster BSc (Hons) ARCS
http://tobyinkster.co.uk/
Geek of ~ HTML/SQL/Perl/PHP/Python/Apache/Linux
May 18 '07 #11

P: n/a
On May 17, 9:56 am, Umberto Salsi <s...@icosaedro.italiawrote:
SterLo <sterling.hamil...@gmail.comwrote:
I would guess they are just being redundant.
You're right $_REQUESTis a string (most PHP variables are).
So converting a string to a string is pointless.

As far as I know, $_GET $_POST and $_REQUESTare associative arrays
whose elements can be:

- unset (i.e. undefined)

- a string of arbitrary bytes, ranging from 0 up to max(memory_limit,
post_max_size, some_web_server_limit)

- an array of any combination of strings and arrays of strings with
arbitrary keys.

Consider these examples:

1)www.mysite.com/test.php?a=x%00%01x
$_GET['a'] becomes an unexpected "x%5C0%01x"
(here the string is urlencoded() for readability; note the "0" after "%5C")

2)www.mysite.com/test.php?a[]=xxx
$_GET['a'] becomes array(0=>"xxx")

3)www.mysite.com/test.php?a[one]=xxx&a[1]=yyy
$_GET['a'] becomes array("one"=>"xxx", 1=>"yyy"))
(note the keys "one" and 1)

4)www.mysite.com/test.php?a[3]=xxx&a[2][0]=yyy&a[-1]=zzz
$_GET['a'] becomes array(3=>"xxx", 2=>array(0=>"yyy"), -1=>"zzz")

5)www.mysite.com/test.php
$_GET['a'] is not set

The same holds for the $_POST and $_REQUESTarrays.

If all that involves some security issue or not, it depends on how all these
values are handled by your program. An array can be evaluated as "Array"
when a string is expected, and can be evaluated as 0 if a number is expected.
Some functions of the standard library behave differently depending on the
value they receive, be it a string or an array. Some test for validation
may fail. For example, for the case 3:

strlen($_GET['a']) gives always 5 for any array.

$_GET['a'] + 1 gives 1 for any array

preg_match("/^\\w\$/", $_GET['a']) raises an error and return false

$somearray[ $_GET['a'] ] always select the element of key "Array"

...and so on, with more and more unexpected behaviors and oddities.

The solution: build your own functions/classes that validate and sanitize
every type of input. As a base rule:

A) Most of the received parameters are (should be...) strings. Apply
a (string) type-cast:

$s = (string) $_GET['a'];

then remove control chars and check proper encoding (ISO-..., UTF-8, etc.).

B) <textarea>: as for A, but \t \r and \n should be preserved.

C) Numbers: if a little integer number is expected, apply the (int) type-cast
then check the range:

$i = (int) $_GET['a'];
$i = min( max($i, SOME_MIN), SOME_MAX );

Otherwise, if the number is a monetary value (example: "1,234.99") convert
to string and apply preg_match() with a proper REGEX, something like:

$a = trim( (string) $_POST['a'] );
if( preg_match("/^[0-9]+(,[0-9]{3})*(\\.[0-9]+)?\$/", $a ) === 1 ){
# ok, now remove commas then use BCMath or GMP for calculations

} else {
# BAD
}

D) <select multiple>: more difficult to validate. Check the received array
be actually an array, then copy every value in another array converting
every element to string or to int, depending on the expected type; ignore
duplicated values:

$a = $_POST['a'];
$a_sanitized = array();
if( is_array($a) ){
foreach($a as $v){
$i = (int) $v;
if( array_search($i, $a_sanitized) === FALSE )
$a_sanitized[] = $i;
}}

# Here: check the values $a_sanitized[] be valid, for example they
# may be compared againts good values saved in the session, or in a
# hidden field protected with HMAC.

Regards,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it
Thank you Umberto for your detail information. The answer as you have
pointed out is on sanitization

May 18 '07 #12

This discussion thread is closed

Replies have been disabled for this discussion.