SQL int type parameter injection

Similar mysql_real_escape_string PHP language () function, when used to prevent SQL injection, may experience the successful implantation of type int.

mysql_real_escape_string () usage

mysql_real_escape_string () function escapes special characters in a string SQL statements used in.
The following characters are affected:

\x00
\n
\r
\
'
"
\x1a

If successful, the function returns a string to be escaped. If it fails, false is returned.

Use Cases

Code Cases String type filter parameters:

<?php
$con = mysql_connect("localhost", "hello", "321");
if (!$con){
  die('Could not connect: ' . mysql_error());
}

// 获得用户名和密码的代码
$user = $_POST("user");
$pwd = $_POST("pwd");

// 转义用户名和密码，以便在 SQL 中使用
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);

$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"

//...

mysql_close($con);
?>

Such fact can filter string type parameters, but if it is int argument to die, reasons explained below.

Int type parameter splicing

<?php
$con = mysql_connect("localhost", "hello", "321");
if (!$con){
  die('Could not connect: ' . mysql_error());
}

// 获得用户名和密码的代码
> 过滤String型参数；

$mobile = $_POST("mobile");
$v = $_POST("v");

// 转义用户名和密码，以便在 SQL 中使用
$mobile = mysql_real_escape_string($mobile);
$v = mysql_real_escape_string($v);

$condStr .= "SELECT * FROM users WHERE uers=lisi AND mobile = $mobile LIKE "."$v";

mysql_close($con);
?>

This sql statement using a mobile = 138888888888 int type parameter, see the above splicing rule, do not need so ', "closed symbols, only need to pass 1 union select 1=1 ; --can be injected.

If the mobile parameter does not turn into strong% d, then there will be an int sql injection.