Menu
is it safe to use cast (int) instead of escaping?
class opinion
{
function loadbyopinionid($opinionid){
$opinionid=(int)$opinionid;
mysql_query("select * from fe_opinion where opinionid=$opinionid");
//more code
}
}
897
This extension was deprecated in PHP 5.5. 0, and it was removed in PHP 7.0.
You should use real_escape_string on any parameter you're mixing as a string literal into the sql statement. And only on those string literal values.
The real_escape_string() / mysqli_real_escape_string() function escapes special characters in a string for use in an SQL query, taking into account the current character set of the connection.
mysql_real_escape_string is safe to use if used properly (ie, everywhere you're inserting PHP variables into your queries), but as has been pointed out in the comments it's not the only thing you need to worry about. For example, HTML markup could be inserted into your DB and used for Cross Site Scripting attacks.
mysql_real_scape_string is for STRINGS. it will not make an integer 'safe' for use. e.g.
$safe = mysql_real_escape_string($_GET['page']);
will do NOTHING where
$_GET['page'] = "0 = 0";
because there's no SQL metacharacters in there. your query would end up something like
SELECT ... WHERE somefield = 0 = 0
However, doing intval() will convert that 0=0 into a plain 0.
68
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
