Quote:
Originally Posted by hadi
What I mean is the difference of function between intval() and mysql_real_escape_string(). Anyway quick search about intval() in google explain everything.
From what I learned mysql_real_escape_string() is good enough to sanitize ANY user input. I'm just worried that mysql_real_escape_string() function only works in certain condition.
Thanks
|
intval() will convert any data to an integer. So for example:
Code:
$variable = "I am some injected text";
echo intval($variable);
The output of this would be:
0
So if you are expecting a variable to be an integer such as a timestamp, or an ID #, pass it through intval and no matter what, it will always come out as a number. It eliminates any chance that variable has been injected with any SQL code. If you just used mysql_real_escape_string() you could still cause an error if MySQL is expecting an integer. This does not help you however when you NEED text. Then you use mysql_real_escape_string().