Quote Originally Posted by mc12345678 View Post
The parameter products_id is not strictly an integer because many, many years ago, it was determined that the products_id would be used to support carrying the attribute information related to the product.
Ah yes good point, you've set off a nasty tic in my left eye, remembering the get_prid() function and how the cart links back to the product page to 'edit' the product, and how I tried to reverse engineer how this stuff works from code with little documentation :) Now I look again, init_sanitize does check products_id with more complicated preg_match logic allowing the colon-separated format and /\d/ regex which, I just checked, an integer PHP variable does test OK with, as does a string type variable, so the ceon addon can put an integer type into $_GET['products_id'] without error. Anyway I'll comment on the github issue I raised.