Hi,

I've always escaped numerical values in MySQL using real_escape_string but have just read that this could still lead to a SQL injection—and of course as the function name suggests it is for strings only, stupid me. I don't think any of my sites are vulnerable though as I'm pretty sure I cast ints when validating, for example, a page number on the front end. Example:

PHP Code:
$page = (int) $_GET["page"]; 
My questions are:

1. How could not casting per above result in a SQL injection? Would the worst case scenario be they add =0 to the end and return all results?

2. Is there any better way to escape numerical values in PHP (for int and floats respectively) or is casting sufficient?

Thanks.