Should I escape an expected integer value using mysql_real_escape_string or can I just use (int)$expectedinteger

is it safe to use cast (int) instead of escaping?

class opinion
{
   function loadbyopinionid($opinionid){
      $opinionid=(int)$opinionid;
      mysql_query("select * from fe_opinion where opinionid=$opinionid");
      //more code 
   }
}

mysql_real_scape_string is for STRINGS. it will not make an integer 'safe' for use. e.g.

$safe = mysql_real_escape_string($_GET['page']);

will do NOTHING where

$_GET['page'] = "0 = 0";

because there's no SQL metacharacters in there. your query would end up something like

SELECT ... WHERE somefield = 0 = 0

However, doing intval() will convert that 0=0 into a plain 0.

Yes it is safe, but you should escape the value in the query ..where opinionid='$opinionid'"

BTW (1) Never use Select * Solution Select Field, Field2 ....

(2) (int)$foo is less perfomanter then intval($foo)

来源：https://stackoverflow.com/questions/8387974/should-i-escape-an-expected-integer-value-using-mysql-real-escape-string-or-can

标签

php

mysql

casting

escaping

sql-injection

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!