It doesn't require any ''
, but in combination with *real_escape_string
, to make it effective, you need these single quotes.
Because if the user input would be: 1 OR 1 = 1
, then the query is:
SELECT * FROM user WHERE id = 1 OR 1 = 1
what would select the whole table.
But if you use single quotes with *real_escape_string
and the user input is 1' OR '1' = '1
, then the query would be:
SELECT * FROM user WHERE id = '1\' OR \'1\' = \'1'
what won't select the whole table, but just one id.
tl;dr: It is not needed, but it makes your code safe against sql injection.