php - How to use mysqli_real_escape_string for int value? -


i have $search= mysqli_real_escape_string($conn,$_post['search']); now, want know if can converted int , safe option avoid sql injection.

$sql ="select * basket quantity =$search";

**here quantity int

yes, strictly speaking, casting variable (int) or intval() removes risk of variable causing sql injection.

but not reason avoid using query parameters.

for 1 thing, might have both string , integer variables combine sql statement. makes code more complex use different methods of making variables safe, depending on type. if use query parameters variables, simplify code.

please right.


Comments

Popular posts from this blog

resizing Telegram inline keyboard -

command line - How can a Python program background itself? -

php - "cURL error 28: Resolving timed out" on Wordpress on Azure App Service on Linux -