How to use mysqli_real_escape_string for int value?

Question

I have this $search= mysqli_real_escape_string($conn,$_POST['search']); Now, I want to know if this can be converted into int and would that be a safe option to avoid sql injection.

$sql ="SELECT * FROM basket WHERE quantity =$search";

**here quantity is int

How can you implement it here and would that be safe from sql injection?I have this $search=(int)$search and it works somehow but will this avoid sql injection? — M Hussain, Sep 10 '17 at 12:33
It will. Also see https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Shira, Sep 10 '17 at 14:24

score 0 · Accepted Answer · answered Sep 11 '17 at 15:33

Yes, strictly speaking, casting a variable with (int) or intval() removes the risk of that variable causing an SQL injection.

But this is not a good reason to avoid using query parameters.

For one thing, you might have both string and integer variables to combine with your SQL statement. It makes your code more complex to use different methods of making variables safe, depending on their type. If you just use query parameters for all variables, you simplify your code.

Please just do it right.

How to use mysqli_real_escape_string for int value?

1 Answers1