Quote Originally Posted by neekfenwick View Post
It is amusing that products_id is not sanitised (it's not in the array of fields to check), so URIMappingHandler can set $_GET['products_id'] = 123 without problems, which is possibly why this 'bug/feature' hasn't been noticed before since it doesn't affect product pages.
The parameter products_id is not strictly an integer because many, many years ago, it was determined that the products_id would be used to support carrying the attribute information related to the product.

Not everyone uses attributes in every store, so yes, it may in part be possible that a store could operate with such integer sanitization. But, the broader use of the field is numerical and whatever character(s) result from hashing the attributes separated by a colon.

In a way that hashing can be useful to recreate the product, though nearly falls apart when the product has an attribute allowing user provided text.