Is `$var = $var + 0` an acceptable way to prevent SQL injection in PHP?

Question

A team I work with has a habit of escaping IDs and integers in SQL like this:

$var = $var + 0; $sql = "SELECT * FROM whatever WHERE id = $var";

Is this an acceptable way to prevent SQL injection in PHP, or is it vulnerable?

Use prepared statement http://php.net/manual/en/mysqli.quickstart.prepared-statements.php — Felippe Duarte, May 16 '18 at 19:54
That's a pretty poor attempt at type casting in PHP, especially since it emits a warning. You should use `intval($var)` or `(int) $var` to type cast to an integer. If it's casted to an integer, it is safe, but that's only valid protection for integer types. — Devon Bessemer, May 16 '18 at 20:06
Best to just use prepared statements https://dev.mysql.com/doc/apis-php/en/apis-php-mysqli.quickstart.prepared-statements.html — GiantJelly, May 16 '18 at 19:55

score -2 · Answer 1 · answered May 16 '18 at 20:00

-2

No its not a preventive way. Use PHP PDO. Read this: https://www.w3schools.com/php/php_mysql_connect.asp

answered May 16 '18 at 20:00

Andr

1 Answers1