Comments on: Prevent SQL Injections with PHP

By: Woolie

Woolie — Sun, 20 Apr 2008 22:41:42 +0000

Hi Roel, as the notice at the top of this post states, the code used in this post may be out of date. Please make sure you verify with other sources before using it.

To answer your question, no there is no real difference. The only thing I would note is that in the second one, to make the result exactly the same as the first, you may want to rewrite like so:

$result = mysql_query("SELECT* FROM animals WHERE name = $safe");

By: Roel

Roel — Sun, 20 Apr 2008 07:40:35 +0000

Is there a difference between:

$query = “SELECT * FROM animals WHERE name = $safe”;
$result = mysql_query( $query );

$query = mysql_query(”* FROM animals WHERE name = $safe”);

By: Nick

Nick — Wed, 25 Jul 2007 10:43:02 +0000

When you want to use a numeric value, you can just use this :

$id = (int)$_GET['id'];

By: johni

johni — Thu, 31 May 2007 15:12:09 +0000

Great article, i must say simply the best!

By: harry

harry — Tue, 15 May 2007 06:14:30 +0000

nice one dude

By: Imran

Imran — Thu, 10 May 2007 06:34:00 +0000

Pretty helpfull for newbies who are making such kinda mistakes… thanx for sharing

By: Is PHP Insecure? Hell No! » Woolie’s World

Is PHP Insecure? Hell No! » Woolie’s World — Sun, 06 May 2007 09:55:48 +0000

[...] Preventing SQL Injection Attacks [...]

By: scragar

scragar — Mon, 30 Apr 2007 08:53:29 +0000

can I just say that if your checking that it is 1 to 10,000 inclusive then you should use = as comparisons, otherwise your range drops to 2 to 9,999 inclusive.

By: buchin

buchin — Sun, 29 Apr 2007 17:21:17 +0000

Thanks! nice article

By: Nathan

Nathan — Sun, 29 Apr 2007 01:41:08 +0000

Thank-you! Much easier than I though.