Reputation: 577
PHP conversion against injection for numerical parameters
I know that the ultimate way is to use mysqli_real_escape_string function. But it is pretty long and for numerical values I often use $value + 0 statement. Is it secure enough?
Upvotes: 0
Views: 41
Answers (2)
Reputation: 906
for numerical variable mysqli_real_escape_string maybe cant help you
for example in blind sql inejction
i think you can use intval() function for more safety
this link more explain about this function
be successfull
Upvotes: 0
Reputation: 3994
Yes it is. Don't forget to use "real" which is the new version of mysqli_escape_string ;)
Btw, you should use prepared statement with mysqli:
You can read more about this on: http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
This will avoid using mysqli_real_escape_string
Upvotes: 1
Related Questions
- Passing numeric variable and preventing SQL injection
- Is casting user input to an integer sufficient to sanitize it?
- (int) php and mysql injection
- PHP MySQL injection security: Does verifying that $_GET input is numeric provide enough protection?
- PHP (int) for variables in MySQL query. Secure?
- How to validate integer values to avoid SQL injection?
- Should numbers from user input be quoted in MySQL queries to help avoid SQL injection attacks?
- GET parameters vulnerable to SQL Injection - PHP
- Sanitizing Integer Database Input
- Is (int) and is_int() secure to protect against SQL injections?