将float存储到先前作为字符串转义的数据库? - 安全吗?
Other Q&Answers say that if you want to escape and store float with PDO you should use string escaping...(PDO::PARAM_STR)...
But is it really safe and propper way to escape FLOAT through PDO as STRING while storing it into FLOAT column in database(MySQL)? are these two floats "compatible"? Should I pre-validate the float in PHP / or MySQL will just somehow convert the string to float even if it really isnt a float representation (but some random string)?
其他Q& Answers说如果你想要使用PDO转义并存储浮点数,你应该使用字符串转义... (PDO :: PARAM_STR)... p>
但是将FLOAT作为STRING从FLOAT转移到数据库(MySQL)的FLOAT列中是否真的安全且有效的方法? 这两个浮点数是“兼容的”吗? 我应该预先验证PHP /或MySQL中的浮点数只会以某种方式将字符串转换为浮点数,即使它实际上不是浮点表示形式(但是一些随机字符串)? p> DIV>
It is safe in terms of SQL injection to do something like this:
$stmt->bindValue('foo', 1.23456, PDO::PARAM_STR);
Because this is safe for any value, regardless of its type.
It is also "safe" to want to store a string in a float MySQL column. You cannot store anything but a float in a float column, MySQL will coerce any value it receives into a float according to its casting rules. This may or may not trigger some error or warning, but a string → float conversion is pretty straight forward and should not cause any problems.
It's all "safe" in terms of security.
If your float is actually a float, it's also safe for the value. It's just being transported as a string, but the value itself will be transported. There may be tiny rounding errors with a float → string → float cast, as you'll always have to consider with floats.