Is this sql input validation secure?
I'm currently 开发者_开发知识库developing a database class for a project I've been working on. I would like to know if the following function has any holes or errors in it that would allow for someone to use MySQL injection.
public function sql_validate($var)
{
if (is_null($var))
{
return NULL;
}
else if (is_string($var))
{
return "'" . $this->sql_escape($var) . "'";
}
else if (is_bool($var))
{
return intval($var);
}
else
{
return $var;
}
}
Here's the function sql_escape which is called for strings.
private function sql_escape($string)
{
if (!$this->db_connection)
{
return @mysql_real_escape_string($string);
}
return @mysql_real_escape_string($string, $this->db_connection);
}
mysql_real_escape_string
uses whatever escaping mode is best, therefore it is fairly secure.
However, may I suggest an alternative. Why create a database class when there are several out there which utilize a much more secure method - Prepared statements. In a nutshell these work by separating SQL logic from user inputted data.
I would suggest using the PDO CLASS.
Also, you should really avoid using error suppression @
in PHP. As this tends to suppress errors which you might not even expect.
The following article is a fairly straightforward introduction to PDO.
精彩评论