Should I avoid the expected integer value with mysql_real_escape_string or can I just use (int) $ expectedinteger

Question

Should I avoid the expected integer value with mysql_real_escape_string or can I just use (int) $ expectedinteger

is it safe to use cast (int) instead of escaping?

class opinion { function loadbyopinionid($opinionid){ $opinionid=(int)$opinionid; mysql_query("select * from fe_opinion where opinionid=$opinionid"); //more code } }

+6

casting php mysql sql-injection escaping

Uğur Gümüşhan Dec 05 '11 at 15:52

source share

2 answers

Yes, it's safe, but you should avoid the value in the query .. Where Opinid = '$ opinionid' "

BTW (1) Never use Select * Solution Select a field, field2 ....

(2) (int) $ foo is less than permanent, and then intval ($ foo)

-3

donald123 Dec 05 '11 at 16:00

source share

Marc b · Accepted Answer · 2011-12-05T15:57:01+0000

mysql_real_scape_string for STRINGS . it will not make the whole "safe" to use. eg.

 $safe = mysql_real_escape_string($_GET['page']);

will do nothing where

 $_GET['page'] = "0 = 0";

because there are no SQL metacharacters. your request will be in something like

 SELECT ... WHERE somefield = 0 = 0

However, if intval () converts this value 0=0 to regular 0 .

Should I avoid the expected integer value with mysql_real_escape_string or can I just use (int) $ expectedinteger

More articles: