Home/ Questions/Q 6004131
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T01:13:11+00:00

Should numbers from user input be quoted in MySQL queries to help avoid SQL

  • 0

Should numbers from user input be quoted in MySQL queries to help avoid SQL injection attacks?

Say i have a form on a page asking for someone’s age. They enter their age and hit submit. The following php code deals with the form submission: (age is an int field in the db table.)

$Number = mysqli_real_escape_string($dbc, $_POST["age"]);
$Query = "INSERT INTO details (age) VALUES ($Number)";
$Result = mysqli_query($dbc, $Query);

Instead of this, is there anything to be gained to enclosing the user input in single quotes, even though it is not a string? Like this:

...
$Query = "INSERT INTO details (age) VALUES ('$Number')";  <-- quotes
...

What about performing a SELECT? Is this:

$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = '$ID'";
$Result = mysqli_query($dbc, $Query);

better than:

$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = $ID";      <-- no quotes
$Result = mysqli_query($dbc, $Query);

NOTE: I am aware of prepared statements and usually use them over string concatenation but this is legacy code i’m dealing with. I want to secure it as best as i can.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you add numbers, use the intval/floatval functions, don’t use mysql_real_escape_string for those.

    For everything you use mysql_real_escape_string for, you must use quotes, example:

    $input = "foo'bar";
$input = mysql_real_escape_string($input);
//foo\'bar
mysql_query("SELECT $input");
//SELECT foo\'bar
//which is still an SQL syntax error.
    • 0