[geeklog-devel] COM_applyFilter doesn't accept negative numbers
Vincent Furia
vfuria at gmail.com
Wed Feb 23 13:50:54 EST 2005
I just committed a change to COM_applyFilter to accept negative
numbers (but still not 'e' notation or decimal numbers).
-Vinny
On Sat, 19 Feb 2005 22:37:09 +0100, Dirk Haun <dirk at haun-online.de> wrote:
> Vinny,
>
> >If you call COM_applyFilter($var, true) you run into a problem if $var
> >is negative. In that case COM_applyFiler will return 0.
>
> Yep, I noticed this myself some time ago. Someone reported that it wasn't
> possible to disable poll comments and it came down to the same problem. I
> actually worked around it in admin/poll.php now.
>
>
> >Notice the preg_match won't match negative numbers. This is easily
> >fixed
>
> Good catch.
>
>
> >Is there any problem if we allow numbers like 4e4 to be accepted?
>
> I couldn't see a reason for us to accept large numbers, especially not in
> that notation. Couple that with an unspecified fear of allowing DoS-type
> attacks in some scenarios.
>
> In other words, there's no comprehensible reason and we should probably
> be doing more sanity checks before accepting large numeric values instead.
>
> Which reminds me of an observation from this discussion: <http://
> www.geeklog.net/forum/viewtopic.php?showtopic=48299>. I tried to figure
> out how Geeklog could come up with those SQL errors, and it seems if
> someone tries to post a comment as a reply to a nonexistent comment ID,
> we throw an SQL error. Shouldn't Geeklog catch those?
>
> bye, Dirk
>
> --
> http://www.haun-online.de/
> http://geeklog.info/
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-devel
>
More information about the geeklog-devel
mailing list