Should numbers from user input be quoted in MySQL queries to help avoid SQL injection attacks?

Question

Say i have a form on a page asking for someone's age. They enter their age and hit submit. The following php code deals with the form submission: (age is an int field in the db table.)

$Number = mysqli_real_escape_string($dbc, $_POST["age"]);
$Query = "INSERT INTO details (age) VALUES ($Number)";
$Result = mysqli_query($dbc, $Query);

Instead of this, is there anything to be gained to enclosing the user input in single quotes, even though it is not a string? Like this:

...
$Query = "INSERT INTO details (age) VALUES ('$Number')";  <-- quotes
...

What about performing a SELECT? Is this:

$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = '$ID'";
$Result = mysqli_query($dbc, $Query);

better than:

$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = $ID";      <-- no quotes
$Result = mysqli_query($dbc, $Query);

NOTE: I am aware of prepared statements and usually use them over string concatenation but this is legacy code i'm dealing with. I want to secure it as best as i can.

Wrikken Wrikken · Accepted Answer · 2011-06-07T18:14:54

If you add numbers, use the intval/floatval functions, don't use mysql_real_escape_string for those.

For everything you use mysql_real_escape_string for, you must use quotes, example:

$input = "foo'bar";
$input = mysql_real_escape_string($input);
//foo\'bar
mysql_query("SELECT $input");
//SELECT foo\'bar
//which is still an SQL syntax error.

Should numbers from user input be quoted in MySQL queries to help avoid SQL injection attacks?

3 Answers