MYSQL accepts a string value with letters for an INT datatype

Question

I'm using php and mysql. When a user clicks submit button the GET query string is like this:

http://mywebsite.com/category/section?article=1

And I query like this:

"SELECT * FROM article WHERE art_id='$article' "

art_id is an int(11) datatype but it accepts a value with letters if I have the correct number as prefix like : http://mywebsite.com/category/section?article=1asd. If I pass all letters (?article=asd) it won't accept but if I pass a number with letter (?article=12asd) it does accept and returns the article with art_id of 12. How can I prevent this?

I've tried it directly on MySQL command line client and it accepts the value with letters in it.

Answer 1

The solution is: If(isset($_GET['article']) && (is_numeric($_GET['article'])){your query} // Add isset function for unset viarables and is_numeric function numeric validation. Good luck!

Answer 2

You can check in your code by if condition:

You can check your GET variable 'article' before passing into mysql query to prevent the issue you are facing:
solution 1: if(is_numeric($_GET['article'])){your query}
solution 2: intval($_GET['article']);//cast the variable and then pass into query
solution 3: if(is_int($_GET['article'])){your query}

Hope these solutions work for you.

Answer 3

In your table change int(11) to varchar(11) provided it is not a PK ..In this scnerio you can include variable charecters