0

For example we create a form 

<input class="k_nip_3" name="k_nip" placeholder=""  type="text" value="" />

and we create a rule(min 5. chars): 

if (IsSet($_POST['k_nip'][4])) // now corect*

But our user is clever and manipulates our form.

Create and send :

<input class="k_nip_3" name="k_nip[5]" placeholder=""  type="text" value="aa" />

And 

IsSet($_POST['k_nip'][5])

accept this.

How can I best avoid this situation?

Bart
  • 19,692
  • 7
  • 68
  • 77
Jan Czarny
  • 916
  • 1
  • 11
  • 29
  • something wrong with strlen()? –  Feb 15 '12 at 19:41
  • 1
    its not a clear trick, due to its limitations its a poor alternative. and if its speed difference effects your site, you have much bigger issues to worry about. –  Feb 15 '12 at 19:46

2 Answers2

3

So what is wrong with

if (isset($_POST['k_nip']) && strlen($_POST['k_nip']) >= 5)
sberry
  • 128,281
  • 18
  • 138
  • 165
  • 2
    Yeah, I'm not sure why the original poster doesn't want to use strlen? – crush Feb 15 '12 at 19:41
  • IsSet is faster than strlen :http://stackoverflow.com/questions/6955913/isset-vs-strlen-a-fast-clear-string-length-calculation And I tried with this trick, and found problem with arrays – Jan Czarny Feb 15 '12 at 19:41
  • I think he's looking for a test on the 5th element: `isset($_POST['k_nip'][5]) && strlen($_POST['k_nip'][5]) >= 5)` but I'd have to agree with your answer otherwise, no better way to do it. – phatskat Feb 15 '12 at 19:42
  • Have you benchmarked the difference? http://www.codinghorror.com/blog/2009/01/the-sad-tragedy-of-micro-optimization-theater.html – sberry Feb 15 '12 at 19:42
  • 2
    @JanCzarny: You really shouldn't be worrying about speed unless you're comparing a million strings, or really long strings. With strings 5 characters long, the difference is probably not noticeable. – gen_Eric Feb 15 '12 at 19:43
  • @phatskat: `$_POST['k_nip']` is a string, not an array. The problem is if the user edits the HTML, thus making it an array. – gen_Eric Feb 15 '12 at 19:43
  • He's looking to make sure there is a character in the 6th position. Which actually would make is rule need to be `iiset($_POST['k_nip'][4])`, not since the string is 0 indexed. – sberry Feb 15 '12 at 19:44
  • How funny that @codinghorror got me into StackExchange (as more than a place Google would take me) and here it is again : P Also, yes, isset is considerably faster than strlen but there is no reason to ignore strlen as the gains are minimal and, in all likelyhood, invisible when processing a form. And what problem with arrays? – phatskat Feb 15 '12 at 19:45
  • @Rocket, Ok but what, if we create page for millions visits per day? – Jan Czarny Feb 15 '12 at 19:52
  • 1
    @JanCzarny Use strlen(). Or use Javascript to validate the input (at least as a starting point). Slicing the string at [5] to test length isn't a great idea to begin with, plain and simple. You highlighted why it's a poor practice above in that you _could_ get an array instead of a string and then your `isset` isn't helpful. More robust validation is necessary, but again, I really doubt you're going to have that many people editing the HTML. Doing serious checks for things like XSS are much more important. – phatskat Feb 15 '12 at 19:57
  • @JanCzarny Thanks, hope I didn't come across too overbearing - if you have the right tools, use them :] – phatskat Feb 15 '12 at 20:04
1

With a clever user, you just have to validate it the oldfashioned way, thoroughly; and not go microoptimising.

Captain Giraffe
  • 14,407
  • 6
  • 39
  • 67