Does a user id have to be an integer?

Question

This is probably a repeated question but I really can't find any answers. I have a forgotten password script which grabs the users email address from the URL using $_GET. The script then checks the $_GET for error messages then passes through to mysql to check weather the user id is the same.

Now the script itself is fine but the user id comes back as a string instead of an integer in var_dump(). I was going to let it go but then I read that if the user id is not an integer in a $_GET variable it could lead to an attack, which has got me a little bit worried. I have tried to change the num_rows value to an int but with no success, because num_rows returns an array. The code that checks the user id is:

if (mysql_num_rows($result) == 1) {
    // NEED TO TURN THIS ARRAY TO AN INT
     list($userId) = mysql_fetch_array($result, MYSQL_NUM);  
}

//elseif (mysql_num_rows($result) <= 0) {
else {
    $wrong = '<p style="color: red">Something went wrong. Please try again</p>';
 }

Like I said before the script itself is fine, it's just that I read something and now can't get it out of my head, which has lead me to ask you guys. Doe's a user id have to be an integer or can i get away with it as a string?

EDIT: Thanks for all your comments and suggestions. There's still a lot to learn in php. Cheers again.

Answer 1

The user ID doesn't have to be an integer, however it is usually

• unique (one per user)
• formatted a way that it is searchable efficiently in a database (for instance)
• short so that it doesn't take much space, especially for large users bank

therefore, ideally, that would be an integer (which number of bits must cover the largest number of expected users)

• unique - for instance allocated automatically (incrementally) by a database
• efficiently indexed, and being the small pointer to a larger user table
• short

one of the drawbacks is that if the integer is given to the client browser (eg in a form), the client may guess the number of user / change the form user ID since numbers in sequence can be easily guessed... (that needs to be prevented via further security)

Answer 2

Everything you pull from the $_GET array is going to be a string, owing to the fact that there's no type information sent through http.

You should, however, always be sanitizing user input or using prepared statements to prevent SQL injection attacks.

Answer 3

You mixed things up, I'll try to clarify them. When PHP receives data via HTTP protocol, be it GET or POST - all the data is considered to be a string because there is no way to safely identify what the data should be.

That means you can try to coerce a piece of data you got via $_GET or $_POST into a different type internally, using typecasting, such as $id = (int)$_GET['id'];

As for databases, the id (let's call it Primary Key) should always be an integer.

Why: - InnoDB uses a certain principle internally when it comes to actual data-structure organisation and writing the information to the disk. It accomplishes a significant performance gain by using sequentially incremented integers - It's easy to create unique identifiers using integers. Just increment some number by an offset every time you do an insert and you get a unique number assigned to the row, no need for a complex algorithm that calculates unique identifier such as UUID() etc.

Long story short - keep the user's ID as integer in MySQL and if you receive data via $_POST/$_GET - type cast them into what you want them to be (int, float, string etc.)

Answer 4

A user ID can be anything you want it to be ... I would only suggest that it be something that has a unique key on it in the database and doesn't change over time.

ID's are traditionally used because it is good practice to have an auto-incrementing primary key on your tables anyway and it meets all of the criteria to be an effective user id.