Easy Peasy Variable Validation

quantumkangaroo · 03-20-2008, 01:34 PM

Doing validation whether it is for security purposes or just validating user input is very easy without using regex.

Lets take a look at our variables

PHP Code:


			
$integer = 12345;
$float = 123.45;
$string = 'this is a string';
$null = NULL;
$bool = TRUE;
$array = array('Blue', 'Purple', 'Green');

For an explanation on each variable this post should help TalkPHP - Variables for Beginners

Now lets validate our variables, we'll start by validating our variables with is_numeric()

PHP Code:


			
is_numeric($integer); // Returns True
is_numeric($float); // Returns True
is_numeric($string); // Returns False
is_numeric($null); // Returns False
is_numeric($bool); // Returns False
is_numeric($array); // Returns False

As you can see is_numeric() checks if the value of the variable is numeric. Now lets move on to is_float()

PHP Code:


			
is_float($integer); // Returns False
is_float($float); // Returns True
is_float($string); // Returns False
is_float($null); // Returns False
is_float($bool); // Returns False
is_float($array); // Returns False

This checks to see if the variable is a valid float, isDecimalNumber() could also be used for this kind of validation. Moving on to is_string()

PHP Code:


			
is_string($integer); // Returns False
is_string($float); // Returns False
is_string($string); // Returns True
is_string($null); // Returns False
is_string($bool); // Returns False
is_string($array); // Returns True

is_string() checks to see if the variables are valid strings, these variables would only be valid strings if they had quotes '' or "". Lets see what happens with is_null()

PHP Code:


			
is_null($integer); // Returns False
is_null($float); // Returns False
is_null($string); // Returns False
is_null($null); // Returns True
is_null($bool); // Returns False
is_null($array); // Returns False

It checks to see if the value of the specified variable is NULL if it is it returns True if not it returns False. Now were going to look at is_bool()

PHP Code:


			
is_bool($integer); // Returns False
is_bool($float); // Returns False
is_bool($string); // Returns False
is_bool($null); // Returns False
is_bool($bool); // Returns True
is_bool($array); // Returns False

Last but not least here is is_array()

PHP Code:


			
is_array($integer); // Returns False
is_array($float); // Returns False
is_array($string); // Returns False
is_array($null); // Returns False
is_array($bool); // Returns False
is_array($array); // Returns True

Here it checks to see if the given variable is a valid array. Well that about wraps it up for variable validation, there are more functions to use when it comes to validation but we will go into those later.

Salathe · 03-20-2008, 02:18 PM

Quote:

Originally Posted by quantumkangaroo

... just validating user input is very easy ...

Thanks for the write-up, I just have a couple of things to point out. When accepting user input from the superglobals like $_GET/POST, the variable will always be a string, always.

PHP Code:


			
// URI: mypage.php?test=moo&foo=123.45&bar=false



/*

  dumping the $_GET variable will tell us:

    array(3) {

      ["test"] => string(3) "moo"

      ["foo"]  => string(6) "123.45"

      ["bar"]  => string(5) "false"

    }

*/



var_dump($_GET);

So be careful about using the is_* functions mentioned above blindly on user input as they might not behave precisely how you expect. For example, from the sample above, $_GET['foo'] is not a float and $_GET['bar'] is not boolean.

Also, the information provided about is_bool is incorrect. The function checks the data type of the variable so only $bool would return TRUE, the others would all return FALSE (go check for yourself).

It is also worth mentioning that is_numeric checks whether the variable is a number or a numeric string. For example, the following are all numeric but you might not want to allow them: "0123", "0xFF", "+123.4567e8".

quantumkangaroo · 03-20-2008, 03:05 PM

Hehe sorry for that should have word the post a little different yes is_numeric would check for any numeric value in a given string or variable so fsda342 would be True.

Of course for user input you could always use str_replace to remove the quotes and thus u have a clean value. I didn't include this but here is an example.

PHP Code:


			
$pid = $_GET['pid'];

$replace = '"';

$pid = str_replace($replacement, "", $pid);

if (is_numeric($pid)) {

 // What you want to do

}

That should fix that issue now on to the bool, it always gives me a true value, i have spoken to a few people to also have this same problem.

Salathe · 03-20-2008, 03:30 PM

I don't know if we're running different versions of PHP or something but I can't seem to correlate what you say with my results from sample code. is_numeric('fsda342') will return false, it's quite obvious that that string isn't a representation of a number. As for the user input comments, I only wrapped the values in quotes to denote that they were indeed strings rather than their integer/float counterparts.

As for is_bool, I've never had a problem with it and after a quick search I can't see any bugs filed for the function always returning true and it's certainly not expected behaviour. Does anyone else here have the same results?