i want to save my website from url injection for that purpose i am using the following line to call another page with an integer id as an parameter here's the code
'<button onclick=window.location.href="admin_leadbox2.php?id=' + alert(typeof(parseInt(data[i].client_id))) + '">VIEW DETAILS</button>';
the alert is showing me that infact the data being passed in the url is a number
now when i get the id from the url and check its type in php it is giving me an string here's the php code
$id=$_REQUEST["id"];
echo "<script>console.log('".gettype($id)."')</script>";
i know that i can convert the string received in the url into integer like i did in javascript to do my work but for my case to prevent url injection i only want to receive an integer type data! what is the problem? thanks in advance
i want to save my website from url injection for that purpose i am using the following line to call another page with an integer id as an parameter here's the code
'<button onclick=window.location.href="admin_leadbox2.php?id=' + alert(typeof(parseInt(data[i].client_id))) + '">VIEW DETAILS</button>';
the alert is showing me that infact the data being passed in the url is a number
now when i get the id from the url and check its type in php it is giving me an string here's the php code
$id=$_REQUEST["id"];
echo "<script>console.log('".gettype($id)."')</script>";
i know that i can convert the string received in the url into integer like i did in javascript to do my work but for my case to prevent url injection i only want to receive an integer type data! what is the problem? thanks in advance
Share Improve this question edited Oct 28, 2016 at 11:11 uneeb asked Oct 28, 2016 at 11:09 uneebuneeb 891 silver badge11 bronze badges 9- 1 It's meant to be a string. Hence it's known as a query string – Clyde Lobo Commented Oct 28, 2016 at 11:11
- cant i just pass an integer? look at this article derby-web-design-agency.co.uk/blog-post/… – uneeb Commented Oct 28, 2016 at 11:12
- no. you can cast it to integer in your php code - when you get it from $_GET – krasipenkov Commented Oct 28, 2016 at 11:12
- Possible duplicate of Validating whether $_REQUEST contents is an int – Clyde Lobo Commented Oct 28, 2016 at 11:14
- 1 By the way, it doesn't matter what gets passed in the query string as your users / visitors will probably be able to manipulate it. You always need validadion on the server side. – jeroen Commented Oct 28, 2016 at 11:17
1 Answer
Reset to default 4A URL is a string. A URL, or query parameters within it, has no types. Here, this is what your URL looks like:
admin_leadbox2.php?id=42
This is all the information that the puter has too. There's no hidden flag to mark "42" as an integer. It's just the characters 4 and 2. In a string. No different from "42foo", which would quite obviously be a string.