Results 1 to 9 of 9
Aug 7, 2013, 04:50 #1
- Join Date
- May 2006
- 2 Post(s)
- 0 Thread(s)
Any issues when using single quotes on numbers?
I have some PHP classes I have written that do various queries on MySQL. Some are designed to work around unique IDs which can be an int or a string (E.g. some I have use URL slugs for the query). To make them work with both an auto-increment ID and a string ID I always put single quotation marks around the ID value. So you get things like WHERE `id` = '45'. I know it always works and the MySQL server is smart enough not to throw it back as an error but are there any issues I should be aware of? Is it bad practice for me to work in this manner?
Am I right in saying if you aren't using prepared statements then, although lazy, adding quotes to ints is safer? E.g.
$bad = "' OR 1'";
$query = "SELECT * FROM table WHERE id = $bad"; // Injection
$query = "SELECT * FROM table WHERE id = '$bad'"; // Failed query, result returns false
$query = "SELECT * FROM table WHERE id = '" $db->escape($bad) . "'"; // No results