4

I have a page like so:

http://sitename/gallery.php?page=2

It has pagination links at the bottom by which we can browse. Everytime the page numbers are clicked, it would send a GET request with parameters page=1 or page=2 and so on ...

When I store these values to $page from teh $_GET variable, it is a string value. I can convert it to an integer using (int) like this: 

if(!empty($_GET['page'])){
       $page = (int)$_GET['page'];
       echo "Page Number: ".$page;
}

But how can I make sure that the value passed is an integer only and not other crap?

Improve this question
6
  • 1
    didnt you find this:: stackoverflow.com/questions/6416763/… Commented Aug 30, 2012 at 9:54
  • Actually no. Thanks for pointing that out! :) I wasn't aware of the var_dump() Commented Aug 30, 2012 at 10:04
  • What's your reason for wanting to make sure the value is an int? If you are always casting to an int then nothing else can get through... the only reason I can think of would be if you wanted to show an error page when anything else comes through, or if you are planning to also send other data types (other than int) as the value of page? Other than that you don't need to check it's type... Not that I'm against asking the question - just questioning the use in this case... knowledge for knowledge's sake is always good :) Commented Aug 30, 2012 at 10:08
  • It's just that I don't want people to pass in random things like for example: wrwh!@67 - OR something malicious. Commented Aug 30, 2012 at 10:14
  • @maxxon15 - Yes as I thought, in this case, if you only ever access or use the $page variable after you have cast to an int - you need not worry about malicious content... because anything that isn't numeric will be cast to 0. echo (int) '//*&73...\\made_up_nonsense...!'; #will echo 0. It's good to be thinking in this regard however ;) you will not believe the number of scripts out there that allow anything to be passed in and used in scary ways... Commented Aug 30, 2012 at 10:31

9 Answers 9

Reset to default
17

Using filters:

if (null !== ($page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE))) {
    // $page is now an integer
}

This also checks whether the variable appears in the query string at the same time. If you want to differentiate between missing and invalid you have to leave off the last argument to filter_input():

$page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT);
// $page can be null (not present), false (present but not valid) or a valid integer
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Works! Thanks man! :) Btw, this could have been achieved by filter_var() function too. Right?
@maxxon15 I prefer using filter_input() if I know that the parameter should come from INPUT_GET - otherwise I use filter_var() :)
That clears the use case. :) Thanks for helping out a noobie here!
4

Use filter_var() with the FILTER_VALIDATE_INT filter on it, and check the return value.

Improve this answer

1 Comment

Thanks! :D How could I forget the filters! Silly me!
2

Use is_numeric().

is_int() will not work because GET parameters are always string.

Improve this answer

Comments

1

I've left a few comments here and there. Thanks to weak typing, functions like empty and isset tend to be unreliable. The quickest way to check if a parameter is an int or not IMO would be this:

if (array_key_exists('page',$_GET) && ($_GET['page'] == (int) $_GET['page']))

Casting to int and then compare the respective values will return true only when $_GET['page'] is a valid int. If you want to use strict type comparison for some reason (some do), you could double cast:

if (array_key_exists('page',$_GET) && ($_GET['page'] === (string)((int) $_GET['page'])))

But in this particular case, I can't really see why you would want to do that

Improve this answer

4 Comments

Why not? Is it not a good practice to always check the authenticity of the data that's passed? Btw, I already used the FILTER_VALIDATE_INT as shown in this comment: stackoverflow.com/a/12194343/432720
I don't quite get what you mean by why not?. When I said I can't see why you want to do that, I was referring to the double cast: casting to an int, and back to a string again is, IMO, one operation too many in this example
Oooh! I thought you meant casting to (int) or even choosing this option would be unnecessary! :P Nevermind. But yeah... I agree. That'd really be too much.
@maxxon15: Unless, of course, $_GET['page'] could be an empty string (''), in which case ('' == (int)'') === true while '' == (string)((int)'') === false... sheesh, loose typing, gotta love it :s
1

this is a way how to check parameter if it is intetger or not.

if (is_int((int) $_GET['user_id']) && (int) $_GET['user_id'] != 0) {
    $user_id = $_GET['user_id'];
}
Improve this answer

Comments

0

Using is_int won't help, probably. All incoming parameters (including $_GET and $_POST) are parsed as strings by PHP. The is_int function checks the datatype, not the value. ctype_digit checks for only digits though:

if(isset($_GET['page']) && ctype_digit($_GET['page']){
   $page = (int)$_GET['page'];
   echo "Page Number: ".$page;
}
Improve this answer

Comments

0 
if(!empty($_GET['page']) and is_numeric($_GET['page'])){
       $page = (int)$_GET['page'];
       echo "Page Number: ".$page;
}

is_numeric is probably what you need.

Improve this answer

Comments

0

You can also check with

isNAN($_GET['something']);//is_numeric($_GET['something'])

it returns a boolean value(true,flase)....if its true then it is not an integer,if false its an integer.

Improve this answer

4 Comments

Returns true for floats, too: so page=12.7548754 would be valid?
My dear brother,is there any page number with float number...???and you given the page numbers as "page" rite..??
It's a GET variable, there's nothing stopping the user from messing with the url parameters, and passing a float. That's, I think, why the op wants to check if the value of the parameter is an int, rather then a string or float
I have also the same doubt Elias
0 
if (isset($_GET['page']) && (($get_page_filtered = filter_var($_GET['page'], FILTER_VALIDATE_INT)) !== FALSE) {
  $get_page_int = $get_page_filtered;
}

@see https://stackoverflow.com/a/41868665/6758130

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.