Re: Select record by ID

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, January 30, 2007 7:23 pm, Craige Leeder wrote:
>> atleast this part: $user_id = mysql_real_escape_string((int)
>> $_GET['user_id']);
>
> I'm not sure who put this in there, but you don't need to use
> mysql_real_escape_string() on that value if you're type casting it. If
> you are forcing it to be an integer, there is nothing to escape.
> Integers are perfectly fine to be put into a query as they are.

Can you guarantee that in every character encoding, past, present, and
future?...

Before you answer, keep in mind that the '-' sign is part of an (int).

I'm not claiming that there is any real danger -- only that there is
the theoretical possibility, and skimping on a
mysql_real_escape_string() call is not the right thing to do.

Actually, all I really wanted to do with that was to be sure that the
OP did *something* to learn more about the security issues of user
input and SQL injection attacks...  Didn't expect it to engender this
much discussion, but there it is.

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux