3raser Posted February 17, 2012 Share Posted February 17, 2012 If I check and make sure a variable is numeric with the is_numeric function, and it passes the in_numeric function, can it still be a security risk if I don't escape it with mysql_real_escape_string()? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted February 17, 2012 Share Posted February 17, 2012 That will make it safe for a query, but chances are you should be using ctype_digit, since is_numeric will return TRUE for +1.3950e218 (exponential number) and 0xAF39BB2DC (hexadecimal number). If you need to allow negative numbers, you can check against the abs value of it with ctype_digit() as well. Quote Link to comment Share on other sites More sharing options...
3raser Posted February 17, 2012 Author Share Posted February 17, 2012 Thanks for the reply Pikachu. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.