5

I've just noticed that if I do a MySQL request like this one:

SELECT 1 FROM myTable WHERE id = 'asdf'

Then the string 'asdf' is casted to 0. It means that I have a record with id 0 this will match. The format of the id field is int(8).

What is the best way to proceed:

  • I need to check (by PHP for example) that my value is numerical only?
  • There is a MySQL way to do that?
  • I must remove my record with id 0? (bad)
Improve this question
5
  • The usual way to go is indeed to check the variable beforehand and to see whether it's numeric. (Many coding examples I've seen do a simple (int) cast though, which also results in 0) Commented Jun 11, 2012 at 15:52
  • You should always check inputs, especially when executing commands against your database and even more so if part of the input is coming from an external user. This is just good practice (for example to avoid injection attacks). PHP has an isNumeric function php.net/manual/en/function.is-numeric.php Commented Jun 11, 2012 at 15:55
  • i wouldn't have a 0th record. Commented Jun 11, 2012 at 15:55
  • it depends if you mind catching characters in a integer field. mySQL will allow it, if you don't care that the string is not an integer, you can truncate the input record so it doesn't overflow your buffers. LINK Commented Jun 11, 2012 at 16:00
  • please reword title of question. I came here looking to know how to cast int as string, but it wasn't even answered. not user friendly. Commented Nov 16, 2012 at 22:40

3 Answers 3

Reset to default
4

Just write your queries so that they don't use numeric fields as if they were textual ones.

If id is a numeric field, then your where clause can never be useful. Yes, it would be good if MySQL actively complained about it - but fundamentally you shouldn't be writing code which runs bad queries to start with.

How did that query enter your system? Is the 'asdf' part direct user input? Can you use parameterized SQL instead?

If you're genuinely intending to query a numeric field, you should make sure that your input is numeric first. Convert the text to an integer in your calling code, not in the database.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

@MarkByers: That doesn't mean you should be using non-integers in a query for integer input. Will edit to clarify.
I don't get your point when you say that if id is a numeric field, your where clause can never be useful
2

You must first sanitize your inputs via PHP.

$id = 'asdf';
if(is_numeric($id)){
    $query("SELECT 1 FROM myTable WHERE id = $id");
}else{
    die("ID is not numeric");
}

Or you can do:

    SELECT 1 FROM myTable WHERE id = 'asdf' AND 'asdf' REGEXP '^-?[0-9]+$'

This would cause the regex to = false, causing no rows to return.

Improve this answer

2 Comments

just another method to validate an int in php: $id = filter_input(INPUT_GET | INPUT_POST, "varName", FILTER_VALIDATE_INT);
I would rather use is_int($id) instead, because is_numeric($id) would also go with "+0123.45e6". That of course depends on the Type of your Database Integer and its options.
1

Since pdo prepared statements binding with correct types will not raise any error (except if mysql strict mode is enabled), your only choice is to ensure and control the types of your variables within your php to "correct" the permissivity of these languages.

[thanks to commentators]

Improve this answer

1 Comment

In this case using prepared statements won't work, because the library will cast 'asdf' to 0, so it will return incorrect rows. The point about checking the type in php is totally correct though.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.