Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi, Im using the built in simple pagination with custom css. As you are probably aware, Laravel appends the pagation page ids to the url when using pagination, However if some malicious user as such wants to try and get technical, Lets say we have the following setup:
and now we have added 3 pages of pagination
http://example.com/article?page=1 http://example.com/article?page=2 http://example.com/article?page=3
he or she can then add the following: ?page=30 and so on...
Though this does not break the site it will stop rendering the pagination results because there is not for page 30 and so on... So i wanted to add something simple to my controller maybe an if statement to say count the pagination number given by laravel using: $reviews->hasMorePages() or even $reviews->count() then use something like this:
$pageID = $_GET['page']; $reviewCount = $reviews->count(); if($pageID > $reviewCount){ return redirect->back(); }
Excuse the code as ive not tested it in any way i have just quickly typed it out as im writing this message so the syntax may be a bit ski wiff!
Any suggestions on the best approach here? Im basically trying to verify that the page parameter is not greater than the $pagination->count() function and if it is then its been modified manually or maliciously so redirect back or redirect to first page / article page.
Thanks
That is fairly standard don't worry about it. FedEx don't seem too worried about it and their I.t. people make well over $100,000 a year.
I just tested that very thing on this forum, and if you go past the last page @JeffreyWay just has a little message there. But really it's no big deal.
And before @tykus_ikus tries to beat me with a better answer hi hi, some people will set the paginator up so if you go past the last page it will automatically go to the last page.
@Birdy dd() the paginated collection. You'll see the count, page count and current page and url. Instead of the code you displayed, utilize what Laravel has already given you must easier both in code and performance.
I agree with @jlrdw it's not a security issue, maybe a convience for the user and a nice touch (attention to detail) but is the time worth the effort? I have done what your attempting after a site is deployed as an update when time allowed.
@jekinney - I like what your saying, Great input and very much appreciated. As it happens time is very short on this project and i guess what you say is right, I should look at this as one of the refactoring stages not an essential before production. Thank you for taking the time out its very greatly appreciated.
May be $_GET is not good option
$lastpage = $data['articles']->lastPage();
if (isset($_GET['page'])) {
$pageID = $_GET['page'];
if($pageID>$lastpage){
//abort(404);
return redirect()->back();
};
}
Second option
Route
Route::get('/category/{category}','front\homepage@categoryList')->name('category');
Controller
public function categoryList($slug, Request $request){
$category= Category::where('slug',$slug)->first() ?? abort(404);
$data['category'] = $category;
$articles= Article::where('category_id',$category->id)->OrderBy('created_at','DESC')->paginate(1);
$data['articles'] = $articles;
$lastpage = $data['articles']->lastPage();
//print_r($lastpage);
$page = $request->input('page');// get page number at url
if ($page>$lastpage) {
//abort(404) ;
return redirect()->route('category',['category'=>$category->slug]); //redirect to category route with category data
};
$data['categories'] = Category::OrderBy('name')->get();
return view('front.category_page',$data);
}
}
@aliyasir its a 4-year old question
But this is my current problem and I have solved by this commands. May be this is not good for efficiency but I solved. Laravel redirect to back if type string after " ?page= " by default but it does not work when you type page number which is not exist.
Please or to participate in this conversation.