php - How to use mysqli_real_escape_string for int value? -
i have $search= mysqli_real_escape_string($conn,$_post['search']); now, want know if can converted int , safe option avoid sql injection.
$sql ="select * basket quantity =$search";
**here quantity int
yes, strictly speaking, casting variable (int)
or intval()
removes risk of variable causing sql injection.
but not reason avoid using query parameters.
for 1 thing, might have both string , integer variables combine sql statement. makes code more complex use different methods of making variables safe, depending on type. if use query parameters variables, simplify code.
please right.
Comments
Post a Comment