SQL Injection and mysql_real_escape_string
View Single Post
05-02-2008, 09:45 PM
Join Date: Nov 2007
Typecasting takes longer.
So you are saying performance is more important than security?
There is no downside to putting quotes around the value in the query.
Which is what you are trying to do unless all of your columns are some sort of string type. That's the downside. You are trying to compare a string with an integer or you're inserting a string into an integer column. That doesn't make sense.
Typecasting also does not take care of string values, which you will have to use quotes with.
and other methods for cleaning strings are for. They aren't for numbers. That's why it has string in the name.
I should also add that in my cleaning function, I don't use mysql_real_escape_string() if its an integer, but that is on a function basis; not inline.
Wait, so you are using a string that hasn't been sanitized? Or do you type cast it as an integer before using it? If the later, why bother making it a string in the query. You already know it is secure.
By not typecasting you aren't forcing a variable to be what you expect and want it to be. If you want an integer, make it an integer so you aren't dealing with strings which can be exploited. It's so much easier to secure an integer than a string.
View Public Profile
Send a private message to wGEric
Visit wGEric's homepage!
Find More Posts by wGEric