标签: php mysql sql-injection
使用intval是安全的:
... WHERE id = " . intval($_POST['input']) . " AND ...
而不是mysqli_real_escape_string:
... WHERE id = '" . mysqli_real_escape_string($_POST['input']) . "' AND ...
用于防止任何sql错误或注入攻击?