I have some PHP classes I have written that do various queries on MySQL. Some are designed to work around unique IDs which can be an int or a string (E.g. some I have use URL slugs for the query). To make them work with both an auto-increment ID and a string ID I always put single quotation marks around the ID value. So you get things like WHERE
id = '45'. I know it always works and the MySQL server is smart enough not to throw it back as an error but are there any issues I should be aware of? Is it bad practice for me to work in this manner?
Am I right in saying if you aren't using prepared statements then, although lazy, adding quotes to ints is safer? E.g.
$bad = "' OR 1'";
$query = "SELECT * FROM table WHERE id = $bad"; // Injection
$query = "SELECT * FROM table WHERE id = '$bad'"; // Failed query, result returns false
$query = "SELECT * FROM table WHERE id = '" $db->escape($bad) . "'"; // No results
If you use quotes, the worst you get is a failed query. I'm not suggesting this as good practice but am I right?