In my data scrubbing function, I pass it a content type (phone, city, SSN, etc), do whatever scrubbing/filtering I'm going to do on that type of content, then after everything's done, then I do the mysql_real_escape_string() on it and return that to where the function was called. That way, everything going into the database has at least mysql_real_escape_string() run on it. The other checks on the content are just to verify that the data is similar in format and composition to what that type of data should be like. For instance, Phone #'s and SSNs have everything but numbers removed, but are not treated as numbers (since a leading zero is still important). -TG = = = Original message = = = On Thu, April 26, 2007 4:02 am, Sebe wrote: > i always use intval() on something i'm inserting into database that > *should* be a integer. i don't know if there is a difference or a good > reason to pick one or the other.. i'm not Richard so maybe he can > create > an interesting story for us on the *proper* way ;-) Well... (int) $foo; intval($foo); are pretty interchangable, really. Just depends if you're an old C hacker or you prefer making function calls. I can't imagine doing enough of either in any real script for performance to be an issue, so let's skip the whole benchmark thread, please??? That said, I've recently decided that even after doing (int) [or intval()] that I'd like to be 100% kosher and still do mysql_real_escape_string. Mainly because somebody pointed out that doing the same thing for (float) could yield things that may not be "good" in SQL like underflow, overflow, exponential notation, and also that the - sign in front *could* end up being part of a subtraction and you *could* manage to leave out the space, and then you've got an SQL comment instead of subtraction. $a = (int) $_REQUEST['a']; $b = (int) $_REQUEST['b']; $query = "select $a-$b "; http://example.com/a=5&b=-3 So the (int) or intval() is "not enough" imho. YMMV -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
