Mysql INSERT INTO integer fields: do I need to escape variables

In a form I am collecting values from radio boxes which are numbers as strings, ie ‘123’.I am sending a JSON file to a server and decoding. I convert all the variable to integers using $var = intval($var).[Do I actually need to convert them to integers as I have heard mysql not fussy?]
All the fields in the mysql database are TINYINT.
I tested the php file by trying different variables as inputs for
$sql = mysqli_query($conn, "INSERT INTO results …etc
If the variable is ‘123’, 123 gets entered
If the variable is ‘12a’, 0 gets entered
If the variable is ‘DELETE’, 0 gets entered
Do I need to escape the variables to remain safe?

Why not just try and see what happens?

Thanks Rick

Yes, if I put $var = ‘123’ as a string it gets INSERT INTOed into the database as an integer… Thanks, that saves some work.
My main concerns if I need to escape the variables to prevent any possible attack.


If it’s an int column you should be fine (assuming the max value isn’t exceeded). However, to be even more sure why not handle it as an int not a string?

Thanks. That was my original intention, which I will stick to now.

Yes, you should. There are probably cases where it doesn’t matter, but as a general rule of thumb no unchecked input should ever be included in a SQL query. Always use placeholders or proper escaping.