-1

i want to save my website from url injection for that purpose i am using the following line to call another page with an integer id as an parameter here's the code

'<button onclick=window.location.href="admin_leadbox2.php?id=' + alert(typeof(parseInt(data[i].client_id))) + '">VIEW DETAILS</button>';

the alert is showing me that infact the data being passed in the url is a number
now when i get the id from the url and check its type in php it is giving me an string here's the php code

$id=$_REQUEST["id"];
echo "<script>console.log('".gettype($id)."')</script>";

i know that i can convert the string received in the url into integer like i did in javascript to do my work but for my case to prevent url injection i only want to receive an integer type data! what is the problem? thanks in advance

uneeb
  • 69
  • 1
  • 10
  • 1
    It's meant to be a string. Hence it's known as a query string – Clyde Lobo Oct 28 '16 at 11:11
  • cant i just pass an integer? look at this article http://www.derby-web-design-agency.co.uk/blog-post/what-is-and-how-to-prevent-url-injections-in-php/11/ – uneeb Oct 28 '16 at 11:12
  • no. you can cast it to integer in your php code - when you get it from $_GET – krasipenkov Oct 28 '16 at 11:12
  • Possible duplicate of [Validating whether $\_REQUEST contents is an int](http://stackoverflow.com/questions/8701540/validating-whether-request-contents-is-an-int) – Clyde Lobo Oct 28 '16 at 11:14
  • alright! how can i compare it? like i am receiving the id from the url and the fetching some data from db all i want to do is whether anything other than integer id is entered in the url it should logout how can i differenciate if the url has admin_leadbox2.php?id=42 or admin_leadbox2.php?id=abc ? – uneeb Oct 28 '16 at 11:16
  • @uneeb That's a terrible article, ignore it immediately. – deceze Oct 28 '16 at 11:16
  • 1
    By the way, it doesn't matter what gets passed in the query string as your users / visitors will probably be able to manipulate it. You always need validadion on the server side. – jeroen Oct 28 '16 at 11:17
  • @jereon no em not i just used to show the syntax and output of how i am getting the type – uneeb Oct 28 '16 at 11:20
  • @ClydeLobo your article did the work thanks man – uneeb Oct 28 '16 at 11:21

1 Answers1

2

A URL is a string. A URL, or query parameters within it, has no types. Here, this is what your URL looks like:

admin_leadbox2.php?id=42

This is all the information that the computer has too. There's no hidden flag to mark "42" as an integer. It's just the characters 4 and 2. In a string. No different from "42foo", which would quite obviously be a string.

deceze
  • 471,072
  • 76
  • 664
  • 811
  • alright! how can i compare it? like i am receiving the id from the url and the fetching some data from db all i want to do is whether anything other than integer id is entered in the url it should logout how can i differenciate if the url has admin_leadbox2.php?id=42 or admin_leadbox2.php?id=abc – uneeb Oct 28 '16 at 11:15
  • 1
    1) [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) 2) [How can I prevent SQL injection in PHP?](http://stackoverflow.com/q/60174/476) 3) [Validating whether $_REQUEST contents is an int](http://stackoverflow.com/questions/8701540/validating-whether-request-contents-is-an-int) – deceze Oct 28 '16 at 11:17