MortHub MortHub - 6 months ago 13
PHP Question

Is it necessary to use mysqli_real_escape_string with data from <input type=number> inputs?

Just as the title states. Is it a standard procedure/practice to escape number inputs?

I know text fields should be escaped, but i'm wondering if I need to escape numbers.

Answer

You should use Prepared Statement. But if you don't wish to do that, at least cast some data type, for example:

<?php
$myVar = (int)$_POST['user_age'];
$myVar = (float)$_POST['user_salary'];