otuatail Posted October 28, 2008 Share Posted October 28, 2008 Hi Guys. Is there a way of making sure a value in a query string is an int as there is not type safe declarations to use here in PHP. TIA Desmond. Link to comment https://forums.phpfreaks.com/topic/130412-solved-prevent-sql-injection/ Share on other sites More sharing options...
MadTechie Posted October 28, 2008 Share Posted October 28, 2008 here some examples, that i use <?php //Int #1 $number = (int)$number; $query = "SELECT * FROM users WHERE number=$number"; //Int #2 $query = sprintf("SELECT * FROM users WHERE number=%d", $number); //Int #3 (i don't use this one i would use #1 instead, but that personal pref.) settype($number, "integer"); $query = "SELECT * FROM users WHERE number=$number"; //String $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password)); ?> EDIT: i would recommned using Int #2 and String for all SQL querys out of habbit, if you have a function that require an int then use Int #1 (if the var is being used in other places as well) Link to comment https://forums.phpfreaks.com/topic/130412-solved-prevent-sql-injection/#findComment-676466 Share on other sites More sharing options...
sammeh Posted October 28, 2008 Share Posted October 28, 2008 I always use : <?php $number = (int)$number; ?> Link to comment https://forums.phpfreaks.com/topic/130412-solved-prevent-sql-injection/#findComment-676489 Share on other sites More sharing options...
otuatail Posted October 28, 2008 Author Share Posted October 28, 2008 Great thanks for all that. Desmond. Link to comment https://forums.phpfreaks.com/topic/130412-solved-prevent-sql-injection/#findComment-676580 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.