|
|
Posted by Chung Leong on 11/04/05 09:37
Malcolm Dew-Jones wrote:
> Definitely correct, but escaping is not the same as using intval to force
> something into a number. Escaping is the mechanism to ensure that the
> database (or whatever) sees and stores the original data in its original
> format.
Well, how else do you safely insert an integer into a SQL statement?
You could escape and put quotes around it, but then you're just asking
the database to cast the number into integer for you. If you leave it
as is then you're placing the burden on your validation and error
handling code to avert SQL injection. I could easily imagine someone
writing something like this: if(preg_match('/[0-9]+/', $pkTable)) { ...
}. Calling intval or floatval is easy enough.
Navigation:
[Reply to this message]
|