Good afternoon.
I found this code in a program I'm renovating and think this is very redundant. Also, it does slow queries down while doing all of the conversions.
prod_id in the mysql database is declared an integer.
<SQL above> where prod_id = '" . (int)$prod_id . "' and <SQL below>
Question: since $prod_is is already an integer, why would someone convert it into an integer, then convert it into a string to later have mysql convert it back into an integer?? Could someone shed some light on the intent behind this weird code??
This is most likely a security measure and not redundant at all. Even if someone tries to "inject" malicious SQL into $prod_id, this code will cast it as an integer, discarding any non-numeric characters. For example, if $prod_id is "42; drop database foo;", that would be very dangerous. With the (int) cast, $prod_id will simply be cast to the integer 42. A good idea in my view.
--Dave
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
