otuatail Posted October 28, 2008 Share Posted October 28, 2008 Hi Guys. Is there a way of making sure a value in a query string is an int as there is not type safe declarations to use here in PHP. TIA Desmond. Quote Link to comment https://forums.phpfreaks.com/topic/130412-solved-prevent-sql-injection/ Share on other sites More sharing options...
MadTechie Posted October 28, 2008 Share Posted October 28, 2008 here some examples, that i use <?php //Int #1 $number = (int)$number; $query = "SELECT * FROM users WHERE number=$number"; //Int #2 $query = sprintf("SELECT * FROM users WHERE number=%d", $number); //Int #3 (i don't use this one i would use #1 instead, but that personal pref.) settype($number, "integer"); $query = "SELECT * FROM users WHERE number=$number"; //String $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password)); ?> EDIT: i would recommned using Int #2 and String for all SQL querys out of habbit, if you have a function that require an int then use Int #1 (if the var is being used in other places as well) Quote Link to comment https://forums.phpfreaks.com/topic/130412-solved-prevent-sql-injection/#findComment-676466 Share on other sites More sharing options...
sammeh Posted October 28, 2008 Share Posted October 28, 2008 I always use : <?php $number = (int)$number; ?> Quote Link to comment https://forums.phpfreaks.com/topic/130412-solved-prevent-sql-injection/#findComment-676489 Share on other sites More sharing options...
otuatail Posted October 28, 2008 Author Share Posted October 28, 2008 Great thanks for all that. Desmond. Quote Link to comment https://forums.phpfreaks.com/topic/130412-solved-prevent-sql-injection/#findComment-676580 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.