On 4/1/07, Richard Lynch <ceo@xxxxxxxxx> wrote:
So, after a recent thread on data filtering, I'm wondering... Is this "good enough" in ALL possible Unicode/charset situations: $foo_id = (int) $_POST['foo_id']; $query = "insert into whatever(foo_id) values($foo_id)"; Or is it possible, even theoretically possible, for a sequence of: [-]?[0-9]+ to somehow run afoul of ANY charset? Perhaps more interesting, how about this: $foo = (float) $_POST['foo']; Is there any way for any PHP output from (float), even with decimal overflow/underflow in various databases, for that to "go wrong"? Should one be ultra-conservative and just do: $foo_sql = mysql_real_escape_string($connection); or is that just being silly?
This oen is better i believe, but you probably don't want to unescape the connection :) use this instead: $foo_sql = mysql_real_escape_string($foo_sql,$connection); Tijnema
-- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php