On Tue, January 30, 2007 7:23 pm, Craige Leeder wrote: >> atleast this part: $user_id = mysql_real_escape_string((int) >> $_GET['user_id']); > > I'm not sure who put this in there, but you don't need to use > mysql_real_escape_string() on that value if you're type casting it. If > you are forcing it to be an integer, there is nothing to escape. > Integers are perfectly fine to be put into a query as they are. Can you guarantee that in every character encoding, past, present, and future?... Before you answer, keep in mind that the '-' sign is part of an (int). I'm not claiming that there is any real danger -- only that there is the theoretical possibility, and skimping on a mysql_real_escape_string() call is not the right thing to do. Actually, all I really wanted to do with that was to be sure that the OP did *something* to learn more about the security issues of user input and SQL injection attacks... Didn't expect it to engender this much discussion, but there it is. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
