Home/ Questions/Q 8022057
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T22:09:49+00:00

There are multiple ways of converting a string to an integer. $someString = substr($input,

  • 0

There are multiple ways of converting a string to an integer.

$someString = substr($input, strripos($input, "_") + 1);
$i = $someString + 0;
$i = (int) $someString;
$i = intval($someString);

$someString comes from use input, so that might have to be taken into consideration. Which option is “better” or has the most negative side-effects? (i.e. performance-wise, security-wise)

$input can look something like 1_abcd_1 or 1_abcd_2. That is quite fixed — except for the abcd which is made up in this example. This input comes from radio buttons, but a user can always alter their data if they want to. Thus, I have to account for malicious data.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Since the input is being cast to a number, there’s no security issues. Performance differences are negligible. However, the first one may not produce an integer in certain cases.

    For example, let $input = '19.99';. 

    $i = $someString + 0;    // $i = 19.99

    The other two cases are equivalent, but $i = (int) $someString; averages approximately 56% faster than $i = intval($someString);. Since both execute in a matter of milliseconds, performance differences are generally negligible unless they occur in a sizable loop. 

    $i = (int) $someString;      // $i = 9
$i = intval($someString);    // $i = 9

    On the matter of security: if you expect $input to always be in a specific form (e.g. #_xxxx_#), then you should verify that it is in that format. Expanding on Jack’s comment — if you’re using PHP >= 5.2.0, you can check the format of the input using a regular expression. 

    <?php
$input = '1_abcd_1';

// Set the desired format
$filter_options = array(
    'options' => array(
        // choose a regular expression that matches your format
        'regexp' => '/^[\d]_[a-z]{4}_[\d]$/'
    )
);

$format = filter_var($input, FILTER_VALIDATE_REGEXP, $filter_options);
if ($format !== false) {
    // process input
    $someString = substr($format, strripos($format, "_") + 1);
    $i = (int) $someString;
    echo '$i = ', $i;
} else {
    // Handle invalid format
    echo 'Malformed data. Potentially malicious';
}
?>

    This will completely reject things like:

    0xfe
bob
j_xtyz_5
1_wxyz_22
21_abcd_1
1_Abcd_2

    Naturally, you would adjust the regular expression to your needs.

    See also:

    If you’re not using PHP >= 5.2.0, you can use preg_match. 

    <?php
$input = '1_abcd_2';

$valid = preg_match('/^[\d]_[a-z]{4}_[\d]$/', $input);
if ($valid) {
    // process input
    $someString = substr($input, strripos($input, "_") + 1);
    $i = (int) $someString;
    echo '$i = ', $i;
} else {
    // Handle invalid format
    echo 'Malformed data. Potentially malicious';
}
?>

    Validating the format of the input let’s you know immediately if the data has been tampered with. Then you can act accordingly.

    • 0