Quick Tip: Save time on escaping from mysql_real_escape_string()
Posted: March 6th, 2008 | Author: Tim | Filed under: Uncategorized | Tags: escaping data, mysql_real_escape_string, sql injection | 1 Comment »All data should be escaped before going into a query, to prevent a SQL-injection attack. The current “best practice” is to use mysql_real_escape_string(), which connects to the DB, checks how strings should be escaped, and then returns the safe string.
Unfortunately, this requires a round trip to the DB, and it takes time and resources. Here’s a trick to make things faster.
If the data you’re escaping is supposed to be an integer, and not a string, you can do this:
$_data = (int)$data;
This will force the value to be an integer. There’s no way to do an SQL-injection with a number alone, and this is something that gets done very quickly (as compared to the mysql_real_escape_string).
Gems form the internet…
[...]very few websites that happen to be detailed below, from our point of view are undoubtedly well worth checking out[...]……