0

i want to save my website from url injection for that purpose i am using the following line to call another page with an integer id as an parameter here's the code

'<button onclick=window.location.href="admin_leadbox2.php?id=' + alert(typeof(parseInt(data[i].client_id))) + '">VIEW DETAILS</button>';

the alert is showing me that infact the data being passed in the url is a number
now when i get the id from the url and check its type in php it is giving me an string here's the php code

$id=$_REQUEST["id"];
echo "<script>console.log('".gettype($id)."')</script>";

i know that i can convert the string received in the url into integer like i did in javascript to do my work but for my case to prevent url injection i only want to receive an integer type data! what is the problem? thanks in advance

Improve this question
9
  • 1
    It's meant to be a string. Hence it's known as a query string Commented Oct 28, 2016 at 11:11
  • cant i just pass an integer? look at this article derby-web-design-agency.co.uk/blog-post/… Commented Oct 28, 2016 at 11:12
  • no. you can cast it to integer in your php code - when you get it from $_GET Commented Oct 28, 2016 at 11:12
  • Possible duplicate of Validating whether $_REQUEST contents is an int Commented Oct 28, 2016 at 11:14
  • 1
    By the way, it doesn't matter what gets passed in the query string as your users / visitors will probably be able to manipulate it. You always need validadion on the server side. Commented Oct 28, 2016 at 11:17

1 Answer 1

Reset to default
4

A URL is a string. A URL, or query parameters within it, has no types. Here, this is what your URL looks like:

admin_leadbox2.php?id=42

This is all the information that the computer has too. There's no hidden flag to mark "42" as an integer. It's just the characters 4 and 2. In a string. No different from "42foo", which would quite obviously be a string.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

alright! how can i compare it? like i am receiving the id from the url and the fetching some data from db all i want to do is whether anything other than integer id is entered in the url it should logout how can i differenciate if the url has admin_leadbox2.php?id=42 or admin_leadbox2.php?id=abc

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.