mysql - PHP conversion against injection for numerical parameters -
i know ultimate way use mysqli_real_escape_string
function. pretty long , numerical values use $value + 0
statement. secure enough?
yes is. don't forget use "real" new version of mysqli_escape_string ;)
btw, should use prepared statement mysqli:
you can read more on: http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
this avoid using mysqli_real_escape_string
Comments
Post a Comment