Quote Originally Posted by DrQuincy View Post
Thanks, so I guess is_numeric is the way to go then.
is_numeric() is the simplest general check that will work fine, you can also use regular expressions (preg_match) when you want to target some more specific number formats. ctype_digit() is also worth considering.

The one weird thing about is_numeric() is that it will accept a number if it contains any number of white space characters in front of the number. However, this should not cause any issues in sql. If you want to avoid this just remember to use trim() on the value.

Quote Originally Posted by DrQuincy View Post
Do you see prepared statements as only useful if you are reusing the queries then?
Basically, yes. In most cases there some trade-offs I don't think are worth accepting:
- with prepared statements it is difficult to log queries with actual data (for any purpose) because you send queries with placeholders only and data is sent separately
- binding values break the linear flow of code as compared to injecting values to sql by the use of concatenating - the sql is in a different place than the bind() statements, so when you look at sql you don't see where the values come from because there are only placeholders. This becomes tedious if a query is larger and you have to scroll your code to see what value/variable is behind the placeholder. Placeholders look cleaner at first glance but after a few times of using them I find the 'uglier' concatenation to be actually easier to read and debug.