我应该使用mysql_real_escape_string转义一个期望的整数值，或者我可以使用（int）$ expectedinteger [英] Should I escape an expected integer value using mysql_real_escape_string or can I just use (int)$expectedinteger

问题描述

是否可以安全地使用cast（int）而不是转义？

is it safe to use cast (int) instead of escaping?

class opinion
{
   function loadbyopinionid($opinionid){
      $opinionid=(int)$opinionid;
      mysql_query("select * from fe_opinion where opinionid=$opinionid");
      //more code 
   }
}

推荐答案

mysql_real_scape_string用于 STRINGS 。它不会使整数安全使用。例如

mysql_real_scape_string is for STRINGS. it will not make an integer 'safe' for use. e.g.

$safe = mysql_real_escape_string($_GET['page']);

将执行NOTHING，其中

will do NOTHING where

$_GET['page'] = "0 = 0";

，因为其中没有SQL元字符。您的查询将会结束像

because there's no SQL metacharacters in there. your query would end up something like

SELECT ... WHERE somefield = 0 = 0

c $ c> 0 。

However, doing intval() will convert that 0=0 into a plain 0.

这篇关于我应该使用mysql_real_escape_string转义一个期望的整数值，或者我可以使用（int）$ expectedinteger的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！