strval $_REQUEST

**Erwin Moller** · May 16 '07, 06:25 PM

Re: strval $_REQUEST

jmark@fastermai l.com wrote:

I have seen some code like
$value = strval($REQUEST['value']);
>
I would like to know what is the use of strval here since $_REQUEST
values are strings?

Hi,

$_REQUEST values might as well contain arrays.

Consider this form:
<form action="test.ph p" Method="POST">
<input type="checkbox" name="bla[]" value="1">1<br>
<input type="checkbox" name="bla[]" value="2">2<br>
<input type="checkbox" name="bla[]" value="3">3<br>
</form>

When receiving $_POST["bla"] it contains an array.

The programmer wanted to make sure it is a string.

Regards,
Erwin Moller

PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.

**Schraalhans Keukenmeester** · May 16 '07, 08:15 PM

Re: strval $_REQUEST

At Wed, 16 May 2007 20:17:07 +0200, Erwin Moller let his monkeys type:

jmark@fastermai l.com wrote:
>

>I have seen some code like
>$value = strval($REQUEST['value']);
>>
>I would like to know what is the use of strval here since $_REQUEST
>values are strings?

>
PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.

Erwin, what's wrong with using $_REQUEST instead of $_GET / $_POST ?
Security issue?

Sh.

**SterLo** · May 16 '07, 11:35 PM

Re: strval $_REQUEST

I would guess they are just being redundant.
You're right $_REQUEST is a string (most PHP variables are).
So converting a string to a string is pointless.

**jmark@fastermail.com** · May 17 '07, 02:15 AM

Re: strval $_REQUEST

On May 16, 1:17 pm, Erwin Moller
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

j...@fastermail .com wrote:

I have seen some code like
$value = strval($REQUEST['value']);

>

I would like to know what is the use of strval here since $_REQUEST
values are strings?

>
Hi,
>
$_REQUEST values might as well contain arrays.
>
Consider this form:
<form action="test.ph p" Method="POST">
<input type="checkbox" name="bla[]" value="1">1<br>
<input type="checkbox" name="bla[]" value="2">2<br>
<input type="checkbox" name="bla[]" value="3">3<br>
</form>
>
When receiving $_POST["bla"] it contains an array.
>
The programmer wanted to make sure it is a string.
>
Regards,
Erwin Moller
>
PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.

But as per documentation

PHP: strval - Manual

http://us.php.net/manual/en/function.strval.php

Get string value of a variable

strval can only be used on scalars
using strval on arrays has no effect.
the programmer should have used is_string if its a string

**jmark@fastermail.com** · May 17 '07, 02:25 AM

Re: strval $_REQUEST

On May 16, 3:05 pm, Schraalhans Keukenmeester <inva...@invali d.spam>
wrote:

At Wed, 16 May 2007 20:17:07 +0200, Erwin Moller let his monkeys type:
>

j...@fastermail .com wrote:

>

I have seen some code like
$value = strval($REQUEST['value']);

>

I would like to know what is the use of strval here since $_REQUEST
values are strings?

>

PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.

>
Erwin, what's wrong with using $_REQUEST instead of $_GET / $_POST ?
Security issue?
>
Sh.

This is more similar to a type checking issue and not security.
$_REQUEST can be either a get, a post, or a cookie variable. There are
circumstances where its more convenient to use $_REQUEST, like if you
have to call a certain script using either get or post method.

**Erwin Moller** · May 17 '07, 08:55 AM

Re: strval $_REQUEST

jmark@fastermai l.com wrote:

On May 16, 3:05 pm, Schraalhans Keukenmeester <inva...@invali d.spam>
wrote:

>At Wed, 16 May 2007 20:17:07 +0200, Erwin Moller let his monkeys type:
>>

j...@fastermail .com wrote:

>>

>I have seen some code like
>$value = strval($REQUEST['value']);

>>

>I would like to know what is the use of strval here since $_REQUEST
>values are strings?

>>

PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.

>>
>Erwin, what's wrong with using $_REQUEST instead of $_GET / $_POST ?
>Security issue?
>>
>Sh.

>
This is more similar to a type checking issue and not security.
$_REQUEST can be either a get, a post, or a cookie variable. There are
circumstances where its more convenient to use $_REQUEST, like if you
have to call a certain script using either get or post method.

Yes, excactly what I ment.
A little more elaborated explanation:
Problem with $_REQUEST is that it gets populated (virtually I think) from
POST GET COOKIE.
If you KNOW what you are receiving, use the right array.

And yes, I have been in circumstances in which it was convienient for me to
use $_REQUEST, but not often.

It is more a check for the programmer than a security issue.
A silly example:
I expect from a form-posting the name 'example1', but in the form I wrote
'exmple1'.
If I have a cookie in use named 'example1' or in my URL something like:

Example Domain

http://www.example.com/test.php?example1=45

Then using $_REQUEST will fill retrieve the 'example' name/value pair from
the wrong place.
That is why I advise using the superglobal you KNOW you are using.

SO it is not really a security issue (because everybody should check info
from cookie, get and post anyway), but more a line of protection against
coding/thinking mistakes.

just my 2 cent..

Regards,
Erwin Moller

**Erwin Moller** · May 17 '07, 08:55 AM

Re: strval $_REQUEST

jmark@fastermai l.com wrote:

On May 16, 1:17 pm, Erwin Moller
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

>j...@fastermai l.com wrote:

I have seen some code like
$value = strval($REQUEST['value']);

>>

I would like to know what is the use of strval here since $_REQUEST
values are strings?

>>
>Hi,
>>
>$_REQUEST values might as well contain arrays.
>>
>Consider this form:
><form action="test.ph p" Method="POST">
><input type="checkbox" name="bla[]" value="1">1<br>
><input type="checkbox" name="bla[]" value="2">2<br>
><input type="checkbox" name="bla[]" value="3">3<br>
></form>
>>
>When receiving $_POST["bla"] it contains an array.
>>
>The programmer wanted to make sure it is a string.
>>
>Regards,
>Erwin Moller
>>
>PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.

>
But as per documentation

PHP: strval - Manual

http://us.php.net/manual/en/function.strval.php

Get string value of a variable

>
strval can only be used on scalars
using strval on arrays has no effect.
the programmer should have used is_string if its a string

good point.
Kind of useless action indeed.

Regards,
Erwin Moller

**jmark@fastermail.com** · May 17 '07, 12:05 PM

Re: strval $_REQUEST

On May 16, 1:17 pm, Erwin Moller
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

j...@fastermail .com wrote:

I have seen some code like
$value = strval($REQUEST['value']);

>

I would like to know what is the use of strval here since $_REQUEST
values are strings?

>
Hi,
>
$_REQUEST values might as well contain arrays.
>
Consider this form:
<form action="test.ph p" Method="POST">
<input type="checkbox" name="bla[]" value="1">1<br>
<input type="checkbox" name="bla[]" value="2">2<br>
<input type="checkbox" name="bla[]" value="3">3<br>
</form>
>
When receiving $_POST["bla"] it contains an array.
>
The programmer wanted to make sure it is a string.
>
Regards,
Erwin Moller
>
PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.

strval works only on scalar values. Using it on arrays has no effect.
is_string() should be the function to be used to determine if a value
is string. strval just casts values into strings. Casting a string
into a string is meaningless.
There are some instances where $_REQUEST can be more convenient than
using $_POST and $_GET like for example where you have a script that
is called by either get or post method

**Umberto Salsi** · May 17 '07, 03:05 PM

Re: strval $_REQUEST

SterLo <sterling.hamil ton@gmail.comwr ote:

I would guess they are just being redundant.
You're right $_REQUEST is a string (most PHP variables are).
So converting a string to a string is pointless.

As far as I know, $_GET $_POST and $_REQUEST are associative arrays
whose elements can be:

- unset (i.e. undefined)

- a string of arbitrary bytes, ranging from 0 up to max(memory_limi t,
post_max_size, some_web_server _limit)

- an array of any combination of strings and arrays of strings with
arbitrary keys.

Consider these examples:

1) www.mysite.com/test.php?a=x%00%01x
$_GET['a'] becomes an unexpected "x%5C0%01x"
(here the string is urlencoded() for readability; note the "0" after "%5C")

2) www.mysite.com/test.php?a[]=xxx
$_GET['a'] becomes array(0=>"xxx")

3) www.mysite.com/test.php?a[one]=xxx&a[1]=yyy
$_GET['a'] becomes array("one"=>"x xx", 1=>"yyy"))
(note the keys "one" and 1)

4) www.mysite.com/test.php?a[3]=xxx&a[2][0]=yyy&a[-1]=zzz
$_GET['a'] becomes array(3=>"xxx", 2=>array(0=>"yy y"), -1=>"zzz")

5) www.mysite.com/test.php
$_GET['a'] is not set

The same holds for the $_POST and $_REQUEST arrays.

If all that involves some security issue or not, it depends on how all these
values are handled by your program. An array can be evaluated as "Array"
when a string is expected, and can be evaluated as 0 if a number is expected.
Some functions of the standard library behave differently depending on the
value they receive, be it a string or an array. Some test for validation
may fail. For example, for the case 3:

strlen($_GET['a']) gives always 5 for any array.

$_GET['a'] + 1 gives 1 for any array

preg_match("/^\\w\$/", $_GET['a']) raises an error and return false

$somearray[ $_GET['a'] ] always select the element of key "Array"

....and so on, with more and more unexpected behaviors and oddities.

The solution: build your own functions/classes that validate and sanitize
every type of input. As a base rule:

A) Most of the received parameters are (should be...) strings. Apply
a (string) type-cast:

$s = (string) $_GET['a'];

then remove control chars and check proper encoding (ISO-..., UTF-8, etc.).

B) <textarea>: as for A, but \t \r and \n should be preserved.

C) Numbers: if a little integer number is expected, apply the (int) type-cast
then check the range:

$i = (int) $_GET['a'];
$i = min( max($i, SOME_MIN), SOME_MAX );

Otherwise, if the number is a monetary value (example: "1,234.99") convert
to string and apply preg_match() with a proper REGEX, something like:

$a = trim( (string) $_POST['a'] );
if( preg_match("/^[0-9]+(,[0-9]{3})*(\\.[0-9]+)?\$/", $a ) === 1 ){
# ok, now remove commas then use BCMath or GMP for calculations
} else {
# BAD
}

D) <select multiple>: more difficult to validate. Check the received array
be actually an array, then copy every value in another array converting
every element to string or to int, depending on the expected type; ignore
duplicated values:

$a = $_POST['a'];
$a_sanitized = array();
if( is_array($a) ){
foreach($a as $v){
$i = (int) $v;
if( array_search($i , $a_sanitized) === FALSE )
$a_sanitized[] = $i;
}
}
# Here: check the values $a_sanitized[] be valid, for example they
# may be compared againts good values saved in the session, or in a
# hidden field protected with HMAC.

Regards,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it

**Toby A Inkster** · May 18 '07, 09:05 AM

Re: strval $_REQUEST

jmark wrote:

I have seen some code like
$value = strval($REQUEST['value']);
>
I would like to know what is the use of strval here since $_REQUEST
values are strings?

It may just be for readability -- anyone skimming through the code could
instantly see that $value is intended to be a string, and not, say, an
integer.

--
Toby A Inkster BSc (Hons) ARCS

Fast Withdrawal Casino UK 2025 – Online Casinos for Instant Payouts

http://tobyinkster.co.uk/

Fast withdrawal casino UK 2025 – Play now & cash out instantly! Discover the top sites for rapid, secure payouts with no delays.

Geek of ~ HTML/SQL/Perl/PHP/Python/Apache/Linux

**jmark@fastermail.com** · May 18 '07, 08:25 PM

Re: strval $_REQUEST

On May 17, 9:56 am, Umberto Salsi <s...@icosaedro .italiawrote:

SterLo <sterling.hamil ...@gmail.comwr ote:

I would guess they are just being redundant.
You're right $_REQUESTis a string (most PHP variables are).
So converting a string to a string is pointless.

>
As far as I know, $_GET $_POST and $_REQUESTare associative arrays
whose elements can be:
>
- unset (i.e. undefined)
>
- a string of arbitrary bytes, ranging from 0 up to max(memory_limi t,
post_max_size, some_web_server _limit)
>
- an array of any combination of strings and arrays of strings with
arbitrary keys.
>
Consider these examples:
>
1)www.mysite.com/test.php?a=x%00%01x
$_GET['a'] becomes an unexpected "x%5C0%01x"
(here the string is urlencoded() for readability; note the "0" after "%5C")
>
2)www.mysite.com/test.php?a[]=xxx
$_GET['a'] becomes array(0=>"xxx")
>
3)www.mysite.com/test.php?a[one]=xxx&a[1]=yyy
$_GET['a'] becomes array("one"=>"x xx", 1=>"yyy"))
(note the keys "one" and 1)
>
4)www.mysite.com/test.php?a[3]=xxx&a[2][0]=yyy&a[-1]=zzz
$_GET['a'] becomes array(3=>"xxx", 2=>array(0=>"yy y"), -1=>"zzz")
>
5)www.mysite.com/test.php
$_GET['a'] is not set
>
The same holds for the $_POST and $_REQUESTarrays .
>
If all that involves some security issue or not, it depends on how all these
values are handled by your program. An array can be evaluated as "Array"
when a string is expected, and can be evaluated as 0 if a number is expected.
Some functions of the standard library behave differently depending on the
value they receive, be it a string or an array. Some test for validation
may fail. For example, for the case 3:
>
strlen($_GET['a']) gives always 5 for any array.
>
$_GET['a'] + 1 gives 1 for any array
>
preg_match("/^\\w\$/", $_GET['a']) raises an error and return false
>
$somearray[ $_GET['a'] ] always select the element of key "Array"
>
...and so on, with more and more unexpected behaviors and oddities.
>
The solution: build your own functions/classes that validate and sanitize
every type of input. As a base rule:
>
A) Most of the received parameters are (should be...) strings. Apply
a (string) type-cast:
>
$s = (string) $_GET['a'];
>
then remove control chars and check proper encoding (ISO-..., UTF-8, etc.).
>
B) <textarea>: as for A, but \t \r and \n should be preserved.
>
C) Numbers: if a little integer number is expected, apply the (int) type-cast
then check the range:
>
$i = (int) $_GET['a'];
$i = min( max($i, SOME_MIN), SOME_MAX );
>
Otherwise, if the number is a monetary value (example: "1,234.99") convert
to string and apply preg_match() with a proper REGEX, something like:
>
$a = trim( (string) $_POST['a'] );
if( preg_match("/^[0-9]+(,[0-9]{3})*(\\.[0-9]+)?\$/", $a ) === 1 ){
# ok, now remove commas then use BCMath or GMP for calculations
>
} else {
# BAD
}
>
D) <select multiple>: more difficult to validate. Check the received array
be actually an array, then copy every value in another array converting
every element to string or to int, depending on the expected type; ignore
duplicated values:
>
$a = $_POST['a'];
$a_sanitized = array();
if( is_array($a) ){
foreach($a as $v){
$i = (int) $v;
if( array_search($i , $a_sanitized) === FALSE )
$a_sanitized[] = $i;
}}
>
# Here: check the values $a_sanitized[] be valid, for example they
# may be compared againts good values saved in the session, or in a
# hidden field protected with HMAC.
>
Regards,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it

Thank you Umberto for your detail information. The answer as you have
pointed out is on sanitization

strval $_REQUEST

strval $_REQUEST

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment