1

i am developing a webservice (cakephp 2.4.7) where i am using the findById method on a user model.

What i have is:

    $user = $this->User->findById($userid);
    if (!$user) {
        throw new NotFoundException(__('Invalid User'));
    }

And the problem is, if $userid == 2 i get the user with ID 2. So far so good. But if (for example) $userid == 2as i also get the user with id 2.

I think the problem is, that $userid is a string and 2as becomes 2.

How can i solve the issue?

q0re
  • 1,401
  • 19
  • 32
  • i am not sure,try `===` – ɹɐqʞɐ zoɹǝɟ May 07 '14 at 05:49
  • Use is_int() to validate $userid http://in2.php.net/manual/en/function.is-int.php – Garry May 07 '14 at 05:49
  • the problem is `2` is also a string and if i check if is_int($userid) the result is always false. – q0re May 07 '14 at 06:24
  • Call it a 'feature' and you're done :-) More seriously, `is_int()` checks for the type, and `is_numeric()` accepts decimal numbers, so they don't fit the job. But you could use a simple regex like this http://stackoverflow.com/questions/4100022/php-validate-integer – nIcO May 07 '14 at 06:40
  • the problem is i have a function where i check if the user visit his own profile by comparing `$this->Auth->User('id')` with `$userid` and this returns false..temporarily i solved the problem with `$userid = intval($userid);` at the top of each action in the controller. – q0re May 07 '14 at 07:06
  • So if you compare `$userid` with `$this->Auth->User('id')`, `/my_profile/2` returns the page correctly, and `/my_profile/2as` doesn't. What's the problem with that ? Why do you bother to make `/my_profile/2as` a valid url ? – nIcO May 07 '14 at 09:09

1 Answers1

1

That's how the database works

It seems quite likely you're using MySQL, and what you're describing is simply how it works:

mysql> select * from posts where id = 1;
+----+-----------+------------------------+---------------------+----------+
| id | title     | body                   | created             | modified |
+----+-----------+------------------------+---------------------+----------+
|  1 | The title | This is the post body. | 2013-08-01 07:34:57 | NULL     |
+----+-----------+------------------------+---------------------+----------+
1 row in set (0.00 sec)

mysql> select * from posts where id = "1and this text";
+----+-----------+------------------------+---------------------+----------+
| id | title     | body                   | created             | modified |
+----+-----------+------------------------+---------------------+----------+
|  1 | The title | This is the post body. | 2013-08-01 07:34:57 | NULL     |
+----+-----------+------------------------+---------------------+----------+
1 row in set, 1 warning (0.00 sec)

With input like that, the database will cast the value to an integer before performing a query.

If you want to prevent your application from treating those two user inputs as the same - you'll need to validate user input and make sure it's numeric before using it.

Community
  • 1
  • 1
AD7six
  • 63,116
  • 12
  • 91
  • 123