1

I have some checkboxes that can be checked. They look like

<input type="checkbox" name="order[123]" value="1">

Now I am checking the formdata and I filter the ids in the order-array this way, before i look them up in the database.

$orderids = preg_grep('/^\d+$/', array_keys($_POST['order']));

is there a more efficient way for doing this?

Bernhard
  • 1,852
  • 11
  • 19
  • Could `$_POST['order']` ever not be numerical? – Darren Feb 09 '17 at 00:11
  • no, in a normal situation it is numeric. these are ids out of a database. but i check the ids for being valid in case that anyone tries to play around with the visible code. – Bernhard Feb 09 '17 at 00:16
  • 1
    Hrm good point. You do have options like `$orderids = array_filter(array_keys($_POST['order']), 'is_numeric');` if you so choose to but what you're doing doesn't seem too expensive. – Darren Feb 09 '17 at 00:22
  • Yeah it's a little shorter, so I think I will keep my variant. Thanks for your help, Darren! – Bernhard Feb 09 '17 at 00:24

1 Answers1

0

Using regex, you are ensuring no malicious strings are used, but not checking for viability in the database. (e.g. order[999999999999999999999999] would pass regex, but not be useful in the db.)

The truest validation would be to run them against your database-borne ids using array_intersect.

   $valid_ids=array_intersect(array_keys($_POST['order']),$db_orderids_array)
mickmackusa
  • 43,625
  • 12
  • 83
  • 136