The following type of comparison in sanitizeInputValues() is used to ascertain if a string value is actually a string:
if(is_int($value) || $value==(int)$value) $ok = true;
However, the following comparisons are true at least in PHP 5.2.10:
"1%6" == 1```
"3ab4" == 3```
Apparently the typecasting engine always returns the first "number" part of the string, regardless of the rest; if the first character is not a number, the return will be 0.
I suggest the following modification to solve the issue:
if(is_int($value) || (string)$value==(string)((int)$value)) $ok = true;
This will assure that the comparisons will not be made between a string and an integer directly, thus avoiding the bug.
Keywords: sanitizeInputValues, getRequestVar, sanitize, int, string
Since $_GET and $_POST values are strings, don't is_int() and is_float() always fail?
Could we simplify this? Is there a preference in terms of readability and/or performance?
if(is_numeric($value) && is_int((int)$value)) $ok = true; if((string)$value == (string)(int)$value) $ok = true;
scratch my example
What about this?
if(is_numeric($value) && ($value == (string)(int)$value)) $ok = true;
Ok, the is_numeric() appears to be redundant and a waste of CPU cycles...
In , fix detection of malformed 'integer' and 'float' values