WordPress.org
Get WordPress

Make WordPress Core

Opened 18 years ago

Closed 16 years ago

#4762 closed enhancement (fixed)

new function: absint()

Reported by: markjaquith's profile markjaquith Owned by: markjaquith's profile markjaquith
Milestone: 2.8 Priority: normal
Severity: normal Version: 2.3
Component: Security Keywords: int security needs-patch
Focuses: Cc:

Description

There were a few bugs whereby things were being cast to ints and providing a negative int would mess up a query (for instance, with SQL LIMITs). We accept negative ints for post IDs (temporarily), but in all other places that Matt or I could think of, we use positive integers.

function absint($string) {
	return abs(intval($string));
}

We'd then convert all instances of intval() or (int) casting to use absint() (minus post IDs).

Objections? Thoughts?

Attachments (1)

4762.diff (533 bytes) - added by ruckus 17 years ago.
absint doesn't exist yet

Download all attachments as: .zip

Change History (18)

#1 @markjaquith
18 years ago

  • Component changed from Administration to Security
  • Keywords int security added
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

#2 @matt
18 years ago

+1 megapatch.

#3 @markjaquith
18 years ago

(In [6222]) Introducing absint() for casting to an absolute integer. see #4762

#4 @DD32
17 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed
  • Type changed from task to enhancement

#5 follow-up: @lloydbudd
17 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Re-opening for markjaquith to close. He might be planning on using that function before closing this ticket.

#6 in reply to: ↑ 5 @DD32
17 years ago

Replying to lloydbudd:

Re-opening for markjaquith to close. He might be planning on using that function before closing this ticket.

Apologies for stepping on anyones toes.

absint() has been put into use in several places (comment/post/taxonomy/functions .php)

#7 @westi
17 years ago

(In [6682]) Switch from abs(intval()) to absint(). See #4762.

@ruckus
17 years ago

absint doesn't exist yet

#9 @ruckus
17 years ago

The absint() function doesn't exist this early, so need to use abs(intval()).

While there, made both sides of the comparison to use abs(intval()) for identical treatment of the non-integer values (e.g. 8M or 32M).

#10 @ruckus
17 years ago

Err, "this early" == in wp-settings.php

#11 @ruckus
17 years ago

  • Cc ruckus added

#12 follow-up: @ryan
17 years ago

(In [6684]) absint is not defined yet. see #4762

#13 in reply to: ↑ 12 @westi
17 years ago

Replying to ryan:

(In [6684]) absint is not defined yet. see #4762

/me slaps wrist... that what I get for doing the change when I'm tired :-(

#14 @westi
17 years ago

  • Keywords needs-patch added

The only place we don't use this now where we have abs(intval()) instead is in wp-settings.php where it is too early and not defined.

There are a number of places where we only use intval() though but these need to be checked carefully so moving to 2.6 for the remaining changes and marking as needs-patch

#15 @ffemtcj
17 years ago

  • Milestone changed from 2.5 to 2.6

#16 @Denis-de-Bernardy
16 years ago

could we close this one as fixed?

#17 @Denis-de-Bernardy
16 years ago

  • Milestone changed from 2.9 to 2.8
  • Resolution set to fixed
  • Status changed from reopened to closed

fixed a while ago

Note: See TracTickets for help on using tickets.