Should I escape an expected integer value using mysql_real_escape_string or can I just use (int)$expectedinteger
mysql_real_scape_string is for STRINGS. it will not make an integer 'safe' for use. e.g.
$safe = mysql_real_escape_string($_GET['page']);
will do NOTHING where
$_GET['page'] = "0 = 0";
because there's no SQL metacharacters in there. your query would end up something like
SELECT ... WHERE somefield = 0 = 0
However, doing intval() will convert that 0=0
into a plain 0
.
Yes it is safe, but you should escape the value in the query..where opinionid='$opinionid'"
BTW (1) Never use Select *Solution Select Field, Field2 ....
(2) (int)$foo is less perfomanter then intval($foo)