|
|
Posted by Justin Koivisto on 11/04/05 22:21
Chung Leong wrote:
> Malcolm Dew-Jones wrote:
>
>>Definitely correct, but escaping is not the same as using intval to force
>>something into a number. Escaping is the mechanism to ensure that the
>>database (or whatever) sees and stores the original data in its original
>>format.
>
> Well, how else do you safely insert an integer into a SQL statement?
> You could escape and put quotes around it, but then you're just asking
> the database to cast the number into integer for you. If you leave it
> as is then you're placing the burden on your validation and error
> handling code to avert SQL injection. I could easily imagine someone
> writing something like this: if(preg_match('/[0-9]+/', $pkTable)) { ...
> }. Calling intval or floatval is easy enough.
IIRC, MySQL will actually give an error if you to quote a value for an
integer field...
--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com
Navigation:
[Reply to this message]
|