42
seCure develoPment For mobIle APPs
is the fastest implementation of a query. A speedy legacy equivalent to the PDO
implementation would be:
$id = intval($_GET['id']);
$result = mysql_query("SELECT name FROM users WHERE id = $id");
Explicitly casting to an integer type is also safe. A cast to an integer in PHP is done
like this:
$id = (int)$_GET['id'];
$result = mysql_query("SELECT name FROM users WHERE id = $id");
e output is:
SELECT name FROM users WHERE id = 55
After the cast, $id is a numeric integer and no longer a string representation.
Anypart that is not numeric is removed. Quoting and escaping are not needed as long
as the parameter is indeed an actual integer. Again, not a best practice, but important
to know and understand. e lack ...