问题
is it safe to use cast (int) instead of escaping?
class opinion
{
function loadbyopinionid($opinionid){
$opinionid=(int)$opinionid;
mysql_query("select * from fe_opinion where opinionid=$opinionid");
//more code
}
}
回答1:
mysql_real_scape_string is for STRINGS. it will not make an integer 'safe' for use. e.g.
$safe = mysql_real_escape_string($_GET['page']);
will do NOTHING where
$_GET['page'] = "0 = 0";
because there's no SQL metacharacters in there. your query would end up something like
SELECT ... WHERE somefield = 0 = 0
However, doing intval() will convert that 0=0 into a plain 0.
回答2:
Yes it is safe, but you should escape the value in the query ..where opinionid='$opinionid'"
BTW (1) Never use Select * Solution Select Field, Field2 ....
(2) (int)$foo is less perfomanter then intval($foo)
来源:https://stackoverflow.com/questions/8387974/should-i-escape-an-expected-integer-value-using-mysql-real-escape-string-or-can