i am using php and running sql queries on a mysql server. in order

Question

0

Asked: May 15, 20262026-05-15T14:43:52+00:00 2026-05-15T14:43:52+00:00

i am using php and running sql queries on a mysql server. in order

0

i am using php and running sql queries on a mysql server.
in order to prevent sql injections, i am using mysql_real_escape_string.

i am also using (int) for numbers casting, in the following manner:

$desired_age = 12;
$query = "select id from users where (age > ".(int)$desired_age.")";
$result = mysql_query($query);

that work.

But, when the variable contains larger numbers, casting them fails since they are larger than int.

$user_id = 5633847511239487;
$query = "select age from users where (id = ".(int)$user_id.")";
$result = mysql_query($query);
// this will not produce the desired result, 
// since the user_id is actually being cast to int

Is there another way to cast large number (like BIGINT), except for the use of mysql_real_escape_string, when is comes to sql injection prevention?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-15T14:43:53+00:00

Editorial Team

2026-05-15T14:43:53+00:00Added an answer on May 15, 2026 at 2:43 pm

You could use something like:

preg_replace('/[^0-9]/','',$user_id);

to replace all non numeric symbols in your string.
But there actually is no need to do so, simply use mysql_real_escape_string() as your integer value will be converted to a string anyway once $query is built.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

i am using php and running sql queries on a mysql server. in order

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply