开发者

Pear DB_DataObject and input cleaning

I normally开发者_如何学运维 use a function of my own to clean input before adding the values inside a query to prevent sql-injections. I also use pear DB_DataObject.

I read somehere that DB_DataObject cleans the input itself. Is this true? Can i assign uncleaned input to a DB_DataObject object? (What about mysql_real_escape_string?, i get an error using it in combination with DB_DataObject because no connection with the DB is established yet)

Also i'm curious how other people clean there input. Is there a best-practice?


DB_DataObject sanitizes inputs passed on the "->set*" methods, e.g.

Assuming User to be a DB_DataObject, the following would all be safe:

 
$user = new User;
$user->firstName = $_REQUEST['first'];
$user->setFirstName($_REQUEST['first'];
$user->setFrom($_REQUEST);

Any method that you actually pass in fragments of SQL are not safe, things like:


$user->selectAs($_REQUEST['col']. ', first as name');
$user->whereAdd("first=$_REQUEST['first]");

Hope that clarifys things a bit...

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜