Results 1 to 25 of 48
Apr 30, 2013, 08:47 #1
- Join Date
- May 2006
- 2 Post(s)
- 0 Thread(s)
Escaping numerical values in MySQL
I've always escaped numerical values in MySQL using real_escape_string but have just read that this could still lead to a SQL injection—and of course as the function name suggests it is for strings only, stupid me. I don't think any of my sites are vulnerable though as I'm pretty sure I cast ints when validating, for example, a page number on the front end. Example:
$page = (int) $_GET["page"];
1. How could not casting per above result in a SQL injection? Would the worst case scenario be they add =0 to the end and return all results?
2. Is there any better way to escape numerical values in PHP (for int and floats respectively) or is casting sufficient?