SQL Injection and mysql_real_escape_string
View Single Post
05-01-2008, 10:18 PM
Join Date: Sep 2007
Originally Posted by
Since it is an integer, cast it as one. Don't try to use it as a string.
"99999 OR id > 0"
Typecasting takes longer. There is no downside to putting quotes around the value in the query. Typecasting also does not take care of string values, which you will have to use quotes with. Typecasting will do the job, but it leaves a greater possibility of forgetting to do it. If you just type everything in with a quote, there is a far less chance of forgetting.
View Public Profile
Send a private message to Village Idiot
Find More Posts by Village Idiot