|
|
|
|
|
|
by Jach
5927 days ago
|
|
|
Casting the ID to an int (like you should do) will make any non-numeric strings into 0. If your ID is 0 you can assume an attack and give such a message. With PHP you should be using mysqli_ functions instead of mysql_ variants as they protect against multiple queries executing in one mysqli_query() call. I do agree prepared statements are the way to go at least 90% of the time. |
|
|