Is there any way to indicate in a URL query string that the value should be treated as an integer rather than string?

Question

The classic query string is page?field1=john&field2=123

Every server-side framework will interpret that as field1 is "john" and field2 is "123".

Is there any way for the client to indicate in the query, 'please treat field2 as 123 (an integer) and not "123" (a string)'?

I know I can have my server-side code be intelligent and know that field2 is supposed to be an integer, and so parse it into an integer, but on the client?

Answer 1

No. But you could use JSON (see second section)

Also, you may want to read about Tainted Data.

The server is expected to verify every single parameter to the letter. The server is the one that knows how to generate the SQL command and if a number is required, you must check that. Maybe with a Regular Expression (/^[0-9]+$/)...

If you do not check the parameter on the server side (or the server accepts what the client says: «this is an integer») then the server may end up allowing the client to do whatever one wants to do with the server (i.e. access all the user's data even when not logged in as an admin.)

For example:

mysql.request("SELECT * FROM users WHERE uid = $_GET['uid']");

Would allow any hackers to pass SQL commands in the 'uid' field as in:

http://www.example.com/some/path?uid=123;UPDATE%20users%20SET%20role='admin'

Which will execute your SELECT and an UPDATE which makes all users administrators (some additional %XX may be required, but it gives the general idea.)

Note that the mysql driver in Node prevents two SQL commands from being executed at once so as to avoid problems like those in the first place. That being said, you must always verify all the data passed to the server. There isn't a safe way for a client to tell you, oh, yeah, this field is of type X.

JSON

Now, if you were to consider using JSON, you could incorporate the type in the data. JSON understands strings, numbers, Boolean, objects, and arrays. So in a string such as this one, you do get typed data:

{
    "string": "test with a string",
    "number": 123,
    "boolean": true,
    "object": {
        "string": "a string in an object"
    }
    "array": [
        {
            "number": 333,
            "boolean": false
        }
    ]
}

You can compact such a JSON in a single line and make it the value of a query string. Don't forget to URI encode the string (See encodeURIComponent().)

Of course, this does not really help preventing tainted data. But it can make it easier as the JSON.parse() function fails if the input data is invalid. That's at least a first step toward making sure the data is as expected.

And you do not need to have a complex JSON object. For example, the following will convert the value to a number:

JSON.parse('123')

Because the string '123' represents a valid JSON string and it is just the number 123. This is, of course, in JavaScript so if you're using Node on your backend. With other languages, you may have surprises about what works and what doesn't.