Development

#2741 (Cheating the sfNumberValidator.)

You must first sign up to be able to contribute.

Ticket #2741 (closed defect: fixed)

Opened 1 year ago

Last modified 11 months ago

Cheating the sfNumberValidator.

Reported by: Andrejs.Verza Assigned to: fabien
Priority: minor Milestone: 1.0.12
Component: validation Version: 1.0.11
Keywords: sfNumberValidator Cc:
Qualification: Ready for core team

Description

Let's see what we have here (a fragment of the /validate/x.yml): 

sfNumberValidator:
  nan_error:     Not a number.
  min:           3
  min_error:     I beg you dont enter ZERO.
  max:           5
  max_error:     I hate ZERO.

... and let's enter any number in hexadecimal, for example 0xFE, which gets over the "is_numeric" function easily in the validator, because it is numeric, but later in the validator code it gets evaluated like this: (int)$value, ... resulting in ZERO, which of course I hate! :)))

Attachments

sfNumberValidatorHexadecimal.class.php.patch (1.8 kB) - added by Carl.Vondrick on 02/23/08 03:15:17.
Possible solution for sfNumberValidator to reject hexadecimal.

Change History

(in reply to: ↑ description ) 02/22/08 07:22:54 changed by Carl.Vondrick

  • qualification changed from Unreviewed to Design decision.

What should be the intended behavior?

  1. hexadecimal is allowed and cast to decimal
  2. hexadecimal is rejected

02/22/08 08:13:12 changed by fabien

I think we need to reject hexadecimals

02/22/08 10:16:50 changed by Markus.Staab

the contents should be validated using ctype_digit(), not is_numeric()

see http://php.net/ctype_digit

02/22/08 16:03:28 changed by Carl.Vondrick

Actually, ctype_digit will not allow decimal numbers: 

ctype_digit(42) === true
ctype_digit(2.718) === false

which, I think should be supported. The immediate solution is to use the regular expression: 

/^\d+(\.\d+)?$/

But, the solution probably should be hooked into sfI18n because some cultures use a comma as the decimal separator and some use a period as the decimal separator.

02/23/08 03:15:17 changed by Carl.Vondrick

  • attachment sfNumberValidatorHexadecimal.class.php.patch added.

Possible solution for sfNumberValidator to reject hexadecimal.

02/23/08 03:16:46 changed by Carl.Vondrick

  • version changed from 1.0.10 to 1.0.11.
  • qualification changed from Design decision to Ready for core team.

A patch is attached. I don't think there is a simple way to hook this into sfI18N.

02/23/08 14:09:29 changed by fabien

You can commit the patch for 1.0 and 1.1 (sfCompat10Plugin). Thanks.

02/23/08 19:36:02 changed by Carl.Vondrick

  • status changed from new to closed.
  • resolution set to fixed.

In r7589 and r7590.

02/27/08 15:56:09 changed by fabien

  • milestone set to 1.0.12.