3raser Posted February 17, 2012 Share Posted February 17, 2012 If I check and make sure a variable is numeric with the is_numeric function, and it passes the in_numeric function, can it still be a security risk if I don't escape it with mysql_real_escape_string()? Link to comment https://forums.phpfreaks.com/topic/257163-is-it-a-security-risk/ Share on other sites More sharing options...
Pikachu2000 Posted February 17, 2012 Share Posted February 17, 2012 That will make it safe for a query, but chances are you should be using ctype_digit, since is_numeric will return TRUE for +1.3950e218 (exponential number) and 0xAF39BB2DC (hexadecimal number). If you need to allow negative numbers, you can check against the abs value of it with ctype_digit() as well. Link to comment https://forums.phpfreaks.com/topic/257163-is-it-a-security-risk/#findComment-1318245 Share on other sites More sharing options...
3raser Posted February 17, 2012 Author Share Posted February 17, 2012 Thanks for the reply Pikachu. Link to comment https://forums.phpfreaks.com/topic/257163-is-it-a-security-risk/#findComment-1318246 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.