Outside query: $uid = number_format($_GET['uid'], 0, ',', '') if($mob['donof'] == '$uid' && $uid > 0){ blabla } - DID NOT WORK!? $uid is number. donof is a numeric field. It worked when I took off the quotes (== $uid). Why is that? Such an odd thing, I wonder how many other variables don't work properly on my site now... And inside a query. Which is better? SELECT * FROM users WHERE id = $id or '$id' ?
If it is a numerical field then the quotes serve no absolutely purpose, and actually slow your query down (by some miniscule amount). Don't use 'em. Also, you can more simply clean $uid by just doing $uid = intval($_GET['uid']);
Thanks for the advice. What do you think of my text cleaning function? function intfix($input = 0){ $input = number_format($input, 0, ',', ''); if($input < 1){ $input = 0;} return $input; } function textfix($text = ""){ if(!is_array($text)){ $text = htmlentities($text,ENT_QUOTES,"UTF-8"); } return $text; } I included the intfix one as well. Are you sure that intval would be better? Any ideas about the textfix()?
The problem with not adding quotes around variables inside queries is that it produces errors if the variable is not set by the user. What do you think about that?
That should be a good thing, for debugging. Besides, you always could add @ before the variable so no error display's if the variable is undefined. I'd suggest you use intval() (or even round() would work - but intval would be more appropriate).
Before writing anything to the database, you should make sure that all values are confirmed to be valid and in the proper form. This sort of error is a good thing as it highlights a failure to properly prepare your data.
Guys, intval is limited to 2147483647. I am building a game site and the numbers will be going much bigger than that. So number_format is still my best choice? About the errors. T This is how I define all variables on my site: if($_GET['id']){ $id = intfix($_GET['id']); } if($_POST['search']){ $search = textfix($_POST['search']); }
number_format uses floats, which can get inaccurate in the least-significant digits if the numbers are too large. Just use preg. function intfix($i) { $i = preg_replace('/[^\d]/', '', $i); if (!strlen($i)) $i = 0; return $i; } PHP: