Is it necessary to validate $_GET id

Question

I'm sure someone asked this before but I just can't find a post similar.

how necessary is it to validate an ID field from $_GET variable? I'm using is_numeric() to make sure I'm getting a number at least but am I just putting in unnecessary code?

ex.

www.test.com/user.php?user_id=5

if (isset($_GET['user_id']) && is_numeric($_GET['user_id'])) {
  *PDO query for user information*
}

is the is_numeric() necessary?
is there a possibility of an attack by changing user_id in the address?

Answer 1

If you don't want to use prepared statements, PDO::quote should be the correct function:

Returns a quoted string that is theoretically safe to pass into an SQL statement.

Answer 2

If you want to properly validate an integer before performing the query, you should use filter_input(); the outcome is either a valid integer, false if it's not a valid integer or null if the parameter wasn't passed at all.

if (is_int($userId = filter_input(INPUT_GET, 'user_id', FILTER_VALIDATE_INT))) {
  *PDO query for user information*
}

If you're using prepared statements this won't really matter so much, but if you wish to return a failure response based on whether the input conforms to what's expected, you can use the above.

Answer 3

is_int check type of variable. But $_GET['id'] will be always a string. Better use filter_var.

But you must use prepared statement anyway.

P.S. With prepared statements you can not use validation. DB will tell that nothing was found. But if you want to warn user about bad request you must validate it before querying.

Answer 4

The best way to sanitize a numeric id is by using an (int) cast.

$id = (int) $_GET['ID'];

with strings you just never know.

Is the is_int() necessary?

You are probably looking for retrieving data by id. Therefore convert the string to an int is the simplest way to go. On a side note is_int will always return false if applied to a string.

Is there a possibility of an attack by changing user_id in the address?

Well, strings are always dirty. You never know what strange characters an user might input and how that will effect the query. For example, I don't know if it can be applied in this case but, you should take a look at NULL bytes attacks.

Answer 5

is_int will not work, because GET variables are always passed as strings.

Personally, I like to test for a valid integer with:

if(strval(intval($_GET['user_id'])) === $_GET['user_id'])

However, this can be overkill. After all, if you're using prepared statements then there's no need to handle any escaping, and searching for a row that doesn't exist will just return no results. I'd throw in intval($_GET['user_id']), but only to really make it clear to future coders that the ID is a number.