Skip to main content
Software Engineering

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

7
  • I'll accept that. Now, as far as the usefulness of Type Casting? Commented Dec 7, 2010 at 15:40
  • It's funny that you bring up SQL injection. I was arguing over on SO with someone using this technique to sanitize user input. But what problem does this method solve that mysql_real_escape_string($id); doesn't already? Commented Dec 7, 2010 at 20:08
  • it's shorter :-) of course, for strings i use parameterized queries, or (if using the old mysql extension) escape it. Commented Dec 7, 2010 at 20:11
  • 2
    mysql_real_escape_string() has a vulnerability of doing nothing to strings like '0x01ABCDEF' (i.e. hexadecimal representation of an integer). In some multibyte encodings (not Unicode lucklily) a string like this can be used to break the query (because it gets evaluated by MySQL to something that contains a quote). That's why neither mysql_real_escape_string() nor is_int() is the best choice for dealing with integer values. Typecasting is. Commented Jan 3, 2011 at 12:30
  • A link with some more details: ilia.ws/archives/… Commented Jan 3, 2011 at 12:45