strval $_REQUEST

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have seen some code like
$value  = strval($REQUEST['value']);

I would like to know what is the use of strval here since $_REQUEST
values are strings?

Re: strval $_REQUEST wrote:

Quoted text here. Click to load it


$_REQUEST values might as well contain arrays.

Consider this form:
<form action="test.php" Method="POST">
<input type="checkbox" name="bla[]" value="1">1<br>
<input type="checkbox" name="bla[]" value="2">2<br>
<input type="checkbox" name="bla[]" value="3">3<br>

When receiving $_POST["bla"] it contains an array.

The programmer wanted to make sure it is a string.

Erwin Moller

PS: I think you should avoid $_REQUEST. Just use $_POST and $_GET.

Re: strval $_REQUEST

At Wed, 16 May 2007 20:17:07 +0200, Erwin Moller let his monkeys type:

Quoted text here. Click to load it

Erwin, what's wrong with using $_REQUEST instead of $_GET / $_POST ?
Security issue?


Re: strval $_REQUEST

Quoted text here. Click to load it

This is more similar to a type checking issue and not security.
$_REQUEST can be either a get, a post, or a cookie variable. There are
circumstances where its more convenient to use $_REQUEST, like if you
have to call a certain script using either get or post method.

Re: strval $_REQUEST wrote:

Quoted text here. Click to load it

Yes, excactly what I ment.
A little more elaborated explanation:
Problem with $_REQUEST is that it gets populated (virtually I think) from  
If you KNOW what you are receiving, use the right array.

And yes, I have been in circumstances in which it was convienient for me to  
use $_REQUEST, but not often.

It is more a check for the programmer than a security issue.
A silly example:
I expect from a form-posting the name 'example1', but in the form I wrote  
If I have a cookie in use named 'example1' or in my URL something like:

Then using $_REQUEST will fill retrieve the 'example' name/value pair from  
the wrong place.
That is why I advise using the superglobal you KNOW you are using.

SO it is not really a security issue (because everybody should check info  
from cookie, get and post anyway), but more a line of protection against  
coding/thinking mistakes.

just my 2 cent..

Erwin Moller

Re: strval $_REQUEST

On May 16, 1:17 pm, Erwin Moller
Quoted text here. Click to load it

But as per documentation

strval can only be used on scalars
using strval on arrays has no effect.
the programmer should have used is_string if its a string

Re: strval $_REQUEST wrote:

Quoted text here. Click to load it

good point.
Kind of useless action indeed.

Erwin Moller

Re: strval $_REQUEST

On May 16, 1:17 pm, Erwin Moller
Quoted text here. Click to load it

strval works only on scalar values. Using it on arrays has no effect.
is_string() should be the function to be used to determine if a value
is string. strval just casts values into strings. Casting a string
into a string is meaningless.
There are some instances where $_REQUEST can be more convenient than
using $_POST and $_GET like for example where you have a script that
is called by either get or post method

Re: strval $_REQUEST

I would guess they are just being redundant.
You're right $_REQUEST is a string (most PHP variables are).
So converting a string to a string is pointless.

Re: strval $_REQUEST

Quoted text here. Click to load it

As far as I know, $_GET $_POST and $_REQUEST are associative arrays
whose elements can be:

- unset (i.e. undefined)

- a string of arbitrary bytes, ranging from 0 up to max(memory_limit,
post_max_size, some_web_server_limit)

- an array of any combination of strings and arrays of strings with
arbitrary keys.

Consider these examples:

   $_GET['a'] becomes an unexpected "x%5C0%01x"
   (here the string is urlencoded() for readability; note the "0" after "%5C")

   $_GET['a'] becomes array(0=>"xxx")
   $_GET['a'] becomes array("one"=>"xxx", 1=>"yyy"))
   (note the keys "one" and 1)

   $_GET['a'] becomes array(3=>"xxx", 2=>array(0=>"yyy"), -1=>"zzz")

   $_GET['a'] is not set

The same holds for the $_POST and $_REQUEST arrays.

If all that involves some security issue or not, it depends on how all these
values are handled by your program. An array can be evaluated as "Array"
when a string is expected, and can be evaluated as 0 if a number is expected.
Some functions of the standard library behave differently depending on the
value they receive, be it a string or an array. Some test for validation
may fail. For example, for the case 3:

    strlen($_GET['a']) gives always 5 for any array.

    $_GET['a'] + 1 gives 1 for any array

    preg_match("/^\w$/", $_GET['a']) raises an error and return false

    $somearray[ $_GET['a'] ] always select the element of key "Array"

...and so on, with more and more unexpected behaviors and oddities.

The solution: build your own functions/classes that validate and sanitize
every type of input. As a base rule:

A) Most of the received parameters are (should be...) strings. Apply
a (string) type-cast:

$s = (string) $_GET['a'];

then remove control chars and check proper encoding (ISO-..., UTF-8, etc.).

B) <textarea>: as for A, but \t \r and \n should be preserved.

C) Numbers: if a little integer number is expected, apply the (int) type-cast
then check the range:

$i = (int) $_GET['a'];
$i = min( max($i, SOME_MIN), SOME_MAX );

Otherwise, if the number is a monetary value (example: "1,234.99") convert
to string and apply preg_match() with a proper REGEX, something like:

$a = trim( (string) $_POST['a'] );
if( preg_match("/^[0-9]+(,[0-9])*(\.[0-9]+)?$/", $a ) === 1 ){
    # ok, now remove commas then use BCMath or GMP for calculations
} else {
    # BAD

D) <select multiple>: more difficult to validate. Check the received array
be actually an array, then copy every value in another array converting
every element to string or to int, depending on the expected type; ignore
duplicated values:

$a = $_POST['a'];
$a_sanitized = array();
if( is_array($a) ){
    foreach($a as $v){
        $i = (int) $v;
        if( array_search($i, $a_sanitized) === FALSE )
            $a_sanitized[] = $i;
# Here: check the values $a_sanitized[] be valid, for example they
# may be compared againts good values saved in the session, or in a
# hidden field protected with HMAC.

/_|_\  Umberto Salsi

Re: strval $_REQUEST

Quoted text here. Click to load it

Thank you Umberto for your detail information. The answer as you have
pointed out is on sanitization

Re: strval $_REQUEST

jmark wrote:

Quoted text here. Click to load it

It may just be for readability -- anyone skimming through the code could
instantly see that $value is intended to be a string, and not, say, an

Toby A Inkster BSc (Hons) ARCS
Geek of ~ HTML/SQL/Perl/PHP/Python/Apache/Linux

Site Timeline