[LiamM]

Hello,

I have a system which involves a user inputting information into a parameter through a command they type. The input is using sscanf in which expects to receive an integer.

How do I exactly SQL Escape an integer? Seeing as it is not a string? Or is it not necessary, personally I don't feel it is necessary but perhaps it is. I do escape ALL strings however.

[Kaliber]

You dont need to escape Integers..because they are integers no strings..

To escape sth use '%e'

[PrO.GameR]

Escaping is used so people aren't able to alter your query to do what they want (for example tell mysql to drop table 'players' that you keep your information in), they can't do it with 1 integer (Since mysql commands are all at least words, like UPDATE ALTER DROP INSERT) therefore there is no need to do such thing.

[LiamM]

Quote:

Originally Posted by PrO.GameR Escaping is used so people aren't able to alter your query to do what they want (for example tell mysql to drop table 'players' that you keep your information in), they can't do it with 1 integer (Since mysql commands are all at least words, like UPDATE ALTER DROP INSERT) therefore there is no need to do such thing.

This is why I said I felt it was not necessary to do, I'm aware of what escaping the string did, and I was racking my brain to try and think of any potential way someone could alter a query with just a number but couldn't think of one. I always ask the community though JUST incase I never thought of something so obvious...

Thanks guys