开发者

Pear DB_DataObject and input cleaning

问答 作者:

I normally开发者_如何学运维 use a function of my own to clean input before adding the values inside a query to prevent sql-injections. I also use pear DB_DataObject.

I read somehere that DB_DataObject cleans the input itself. Is this true? Can i assign uncleaned input to a DB_DataObject object? (What about mysql_real_escape_string?, i get an error using it in combination with DB_DataObject because no connection with the DB is established yet)

Also i'm curious how other people clean there input. Is there a best-practice?

DB_DataObject sanitizes inputs passed on the "->set*" methods, e.g.

Assuming User to be a DB_DataObject, the following would all be safe:

 
$user = new User;
$user->firstName = $_REQUEST['first'];
$user->setFirstName($_REQUEST['first'];
$user->setFrom($_REQUEST);

Any method that you actually pass in fragments of SQL are not safe, things like:


$user->selectAs($_REQUEST['col']. ', first as name');
$user->whereAdd("first=$_REQUEST['first]");

Hope that clarifys things a bit...

继续阅读:pearphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9