[geeklog-devel] COM_applyFilter doesn't accept negative numbers

Vincent Furia vfuria at gmail.com
Wed Feb 23 13:50:54 EST 2005


I just committed a change to COM_applyFilter to accept negative
numbers (but still not 'e' notation or decimal numbers).

-Vinny


On Sat, 19 Feb 2005 22:37:09 +0100, Dirk Haun <dirk at haun-online.de> wrote:
> Vinny,
> 
> >If you call COM_applyFilter($var, true) you run into a problem if $var
> >is negative.  In that case COM_applyFiler will return 0.
> 
> Yep, I noticed this myself some time ago. Someone reported that it wasn't
> possible to disable poll comments and it came down to the same problem. I
> actually worked around it in admin/poll.php now.
> 
> 
> >Notice the preg_match won't match negative numbers.  This is easily
> >fixed
> 
> Good catch.
> 
> 
> >Is there any problem if we allow numbers like 4e4 to be accepted?
> 
> I couldn't see a reason for us to accept large numbers, especially not in
> that notation. Couple that with an unspecified fear of allowing DoS-type
> attacks in some scenarios.
> 
> In other words, there's no comprehensible reason and we should probably
> be doing more sanity checks before accepting large numeric values instead.
> 
> Which reminds me of an observation from this discussion: <http://
> www.geeklog.net/forum/viewtopic.php?showtopic=48299>. I tried to figure
> out how Geeklog could come up with those SQL errors, and it seems if
> someone tries to post a comment as a reply to a nonexistent comment ID,
> we throw an SQL error. Shouldn't Geeklog catch those?
> 
> bye, Dirk
> 
> --
> http://www.haun-online.de/
> http://geeklog.info/
> 
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-devel
>



More information about the geeklog-devel mailing list