What's the difference between intval and db_escape in SQL?

I've got friends who's telling me to change some code.

One of them is telling me to change my code into:

intval($_GE开发者_如何学运维T['id']);

And the other tells me to change into:

db_escape($_GET);

Who is right, and why?

Intval is specifically for numbers. With intval you transform anything what is not a valid number to "0". With db_escape() you can prepare strings and other stuff to be inserted into a database. So both are right, it depends on what you want to insert :-) If you want to insert a number or if you want to select an entry with its id

$query = "SELECT * FROM table WHERE id = " . intval($GET_["id"]);

then you should use intval. If you want to insert a text, you should use db_escape.

$query = "INSERT INTO table (stringCol) VALUES('" . db_escape($_POST['string']) . "')";