Robin Kopetzky wrote:

Good afternoon.

I found this code in a program I'm renovating and think this is very
redundant. Also, it does slow queries down while doing all of the

prod_id in the mysql database is declared an integer.

<SQL above>
        where prod_id = '" . (int)$prod_id . "' and
<SQL below>

Question: since $prod_is is already an integer, why would someone convert it
into an integer, then convert it into a string to later have mysql convert
it back into an integer?? Could someone shed some light on the intent behind
this weird code??

This is most likely a security measure and not redundant at all. Even if someone tries to "inject" malicious SQL into $prod_id, this code will cast it as an integer, discarding any non-numeric characters. For example, if $prod_id is "42; drop database foo;", that would be very dangerous. With the (int) cast, $prod_id will simply be cast to the integer 42. A good idea in my view.


PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to