开发者

Is there a PHP library that performs MySQL Data Validation and Sanitization According to Column Type?

问答 作者:

Do you know of any open source library or framework that can perform some basic validation and escaping functionality for a MySQL Db.

i envisage something along the lines of:

//give it something to perform开发者_如何学运维 the quote() quoteInto() methods
$lib->setSanitizor($MyZend_DBAdaptor); 

//tell it structure of the table - colnames/coltypes/ etc
$lib->setTableDescription($tableDescArray); 

//use it to validate and escape according to coltype 
foreach ($prospectiveData as $colName => $rawValue)
if ( $lib->isValid($colName, $rawValue))
 {
 //add it to the set clause
 $setValuesArray[$lib->escapeIdentifier($colName)] = $lib->getEscapedValue($colName,$rawValue);
 }
else {
 throw new Exception($lib->getErrorMessage());
 }

etc...

I have looked into - Zend_Db_Table (which knows about a table's description), and - Zend_Db_Adaptor (which knows how to escape/sanitize values depending on TYPE)

but although they can sanitize, they do not automatically do any clever validation stuff before updates/inserts

Anyone know of a good PHP library to preform this kind of validation that I could use rather than writing my own?

i envisage alot of this kind of stuff:

   ...  
   elseif (eregi('^INT|^INTEGER',$dataset_element_arr[col_type]))
    {
    $datatype='int';

    if (eregi('unsigned',$dataset_element_arr[col_type]))
        {
        $int_max_val=4294967296;
        $int_min_val=0;
        }
    else    {
        $int_max_val=2147483647;
        $int_min_val=-2147483648;
        }
    }

(p.s I know eregi is deprecated - its just an example of laborious code)

I wrote a lot of the code in Zend_Db.

The code doesn't do a lot of sanitizing or escaping in update/insert because it uses query parameters. You don't need to worry about SQL injection if you pass dynamic values to the query using parameters.

See my answer to avoiding MySQL injections with the Zend_Db class for more details.

MySQL also supports some datatypes like BIGINT that are larger than PHP integers, so you have to represent them in PHP strings instead. Then there are MySQL DATE values and so on. It's better to just validate the values by inserting them into the database and coping with any exceptions.

继续阅读:phpsanitizationsqlvalidation

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9