I'm using a GET variable and people get to it by the following URL:
page?siteID=1
and I check to make sure that siteID is an integer, but PHP is saying it is a string.
How can I convert it to a integer? I noticed that intval() would convert 0x1A to 26, which I don't want to happen.
If you don't want to convert the variable, but simply check if it represents a number, you can also use the is_numeric function. Either that, or you can use the conversion methods as described in other answers, whichever suits your particular need best.
EDIT: based on James Socol's comment, it may also be worth looking at the ctype_digit function. For your particular application (it looks like you want to check for some page ID number), this might be better suited than the is_numeric function.
is_numeric("-1.23e25") will evaluate to true. ctype_digit might be more appropriate.
Just as a side note, so that you know why this is happening, here's what's going on.
When a web browser sends a GET request, it's all text. The URL `http://example.com/page?siteID=1' is actually sent as a single string; in the HTTP request it will be this line:
GET /page?siteID=1 HTTP/1.0
(The "http://example.com" part was used by the web browser to figure out which server to talk to, and what network protocol to use.)
PHP gets hold of that and does a whole bunch of work for you to parse it. It splits it into three pieces based on those spaces (method "GET", URI "/page?siteID=1" and protocol "HTTP/1.1"), and further parses the URI into a path ("/page") and query parameters ("siteID=1"), which it further parses into name/value pairs. And even that whole GET line quoted above was only part of the full text stream delivered to the HTTP server as a request.
So you're seeing the the result of a whole lot of work to convert a longish sequence of characters into a lot of different pieces.
If you're really curious, you can use tools such as Wireshark or the Firefox Live HTTP Headers plugin to see the details of what text strings are actually passing over the network. It's worth learning, if you're a web developer.
Either cast to int
$id = (int)$_GET['siteID'];
knowing the rules on string-to-integer conversions. Or use
if (ctype_digit($_GET['siteID'])) { //...
If you want to be sure it only contains numbers (characters 0-9). If you want it to be a numeric string, including "-1.35e+105" you could use is_numeric().
you need to cast it to an int
e.g.
$siteid = (int) $_GET['siteID'];
That will do it.
what you could do; ctype_digit($_GET['siteID'])
All parameter values are strings. You must explicitly convert from string to integer. You can cast as suggested in other answers or use setType(var, type) where type is "integer"
<?php
$id = $_GET['siteID'];
settype($id, "integer");
?>
PHP treats all GET/POST/COOKIE variables as strings until you do something with them.
Here is a good PHP.net reference for you to look at: http://ca.php.net/language.types.type-juggling
Php is weakly typed. For him, integer and string can threated the same way, it will jus try to guess how according to the context.
Anyway, when you pass a variable with GET, it's always a string because the HTTP protocole is all about text.
So two things :
you, most of the time, don't need to check if it's an integer. Use duck typing : if it's a string that looks like an integer enought, use it directly.
if you really want to check, use is_numeric().
if you need a conditional statement, using == to check a string against an integer will work. If you want to check with a type enforcement, use ===.
The fudgy way of managing variables is part of what makes PHP, well, PHP. Love it, or hate it, but don't try code in PHP like in JAVA or C#.
More ideas:
$isInt = ($_GET['id'] == (int)$_GET['id']); // not strict comparing!
$isInt2 = preg_match('/\-?[0-9]+/', $_GET['id']);
and finally a safe way to get the $id:
$id = (isset($_GET['id']) && ($_GET['id'] == (int)$_GET['id']))
? (int)$_GET['id']
: 0;
I'd recommend using mod_rewrite (if available) and regular expressions to obfuscate and secure your GET variables instead of casting them in your code.
The URI path page?siteID=1 is a string; The value of $_GET['siteID'] will originally be a string.
Assumption: the siteID value is used to look in a dB table by the siteID field so a valid siteID value must look like an integer greater than zero.
is_numeric() is not enough in this case unfortunately because is_numeric('7e2') returns true.
You want to validate the string value of siteID as an integer without casting any value from $_GET, keeping your $_GET with raw values because you might need them later.
function is_valid_id($id) {
return strval($id) === strval(intval($id)) && $id > 0;
}
if (is_valid_id($_GET['siteID']))
$siteID = intval($_GET['siteID']);
# Value is ready to be processed as integer
else
# Refresh page with invalid id error message
It renders invalid '0', '0.0', '-0', '07', '-09', '0y', '7e2', '-w', '-b.9', 'G98', '-h7', '98R', '98.7', '98,8', '0x1A', '\x1A', '5+5', '5*5', etc.
