I've got friends who's telling me to change some code.
One of them is telling me to change my code into:
intval($_GE开发者_如何学运维T['id']);
And the other tells me to change into:
db_escape($_GET);
Who is right, and why?
Intval is specifically for numbers. With intval you transform anything what is not a valid number to "0". With db_escape() you can prepare strings and other stuff to be inserted into a database. So both are right, it depends on what you want to insert :-) If you want to insert a number or if you want to select an entry with its id
$query = "SELECT * FROM table WHERE id = " . intval($GET_["id"]);
then you should use intval. If you want to insert a text, you should use db_escape.
$query = "INSERT INTO table (stringCol) VALUES('" . db_escape($_POST['string']) . "')";
精彩评论