View Single Post
11-22-2010, 06:39 AM   #6
Jeff's Avatar
Join Date: Jul 2010
Posts: 402
Rep Power: 10
Jeff is getting browny points
Originally Posted by hadi View Post
What I mean is the difference of function between intval() and mysql_real_escape_string(). Anyway quick search about intval() in google explain everything.

From what I learned mysql_real_escape_string() is good enough to sanitize ANY user input. I'm just worried that mysql_real_escape_string() function only works in certain condition.

intval() will convert any data to an integer. So for example:

$variable = "I am some injected text";
echo intval($variable);
The output of this would be:


So if you are expecting a variable to be an integer such as a timestamp, or an ID #, pass it through intval and no matter what, it will always come out as a number. It eliminates any chance that variable has been injected with any SQL code. If you just used mysql_real_escape_string() you could still cause an error if MySQL is expecting an integer. This does not help you however when you NEED text. Then you use mysql_real_escape_string().
Jeff is offline   Reply With Quote