开发者

Is this sql input validation secure?

I'm currently 开发者_开发知识库developing a database class for a project I've been working on. I would like to know if the following function has any holes or errors in it that would allow for someone to use MySQL injection.

public function sql_validate($var)
{
    if (is_null($var))
    {
        return NULL;
    }
    else if (is_string($var))
    {
        return "'" . $this->sql_escape($var) . "'";
    }
    else if (is_bool($var))
    {
        return intval($var);
    }
    else
    {
        return $var;
    }
}

Here's the function sql_escape which is called for strings.

private function sql_escape($string)
{
    if (!$this->db_connection)
    {
        return @mysql_real_escape_string($string);
    }

    return @mysql_real_escape_string($string, $this->db_connection);
}


mysql_real_escape_string uses whatever escaping mode is best, therefore it is fairly secure.

However, may I suggest an alternative. Why create a database class when there are several out there which utilize a much more secure method - Prepared statements. In a nutshell these work by separating SQL logic from user inputted data.

I would suggest using the PDO CLASS.

Also, you should really avoid using error suppression @ in PHP. As this tends to suppress errors which you might not even expect.

The following article is a fairly straightforward introduction to PDO.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜