1 reply to this topic

[bbqroast]

You know those things that make you want to grind your nails along a desk? Well here's one of 'em:
Having spent a while working on security you suddenly discover that your intval() checking means that going to the page with an ID of two will put you on the page with an ID of one!

$page = $_GET['p'];

if (intval($pageID) == 0){

$page = 0;

} else if (intval($pageID) == 1) {

$page = 0;

}

$pageID = $page + 1;

As you can see we GET the variable 'p' then check its an int before adding one on to it (as the 'p' variable starts at 0 and MySQL's page IDs start at 1).
Apparently if $pageID is not a number it will return 0 or 1- However sadly intval returns $pageID on success so if $pageID is page two then it sees it as invalid and tells php to show the homepage instead.

So any ideas for a workaround?

Gosh writing makes me thirsty...

[Alexander]

What you are stating is contradictory to what you have written, for example you are applying intval to $pageID and not $page which contains the P array index, what is $pageID? Where is it filled and what is its correlation to $page?

A note, intval is a problematic function in PHP, as PHP will automatically type cast most of what you need. "3" == 3, but with intval, "e" can == 0, or your first page which you have described. You should check this with is_int() and throw an error if it is not an integer value.