LWN.net Logo

Advertisement

ThinLinc Terminal Server

Advanced thin client solution for Linux, based on Open Source. Mix Windows and Linux applications on the same desktop. V

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

In defense of Ubuntu

Why the JMRI decision matters

LWN.net Weekly Edition for August 14, 2008

Details of the DNS flaw revealed

Udev rules and the management of the plumbing layer

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

input filtering

input filtering

Posted Mar 30, 2006 14:51 UTC (Thu) by ccyoung (subscriber, #16340)
Parent article: SQL injection attacks

the function db_quote() for input filtering is in my experience inadequate.

what is needed is one filter function for each data type. this not only formats but does type checking. for example, db_get_string may not allow quotes and punctuation, whereas db_get_text might be more forgiving.

db_get_code( $code, $mustexist=false )
db_get_string( $str, $mustexist=false )
db_get_text( $text, $mustexist=false )
...
db_get_integer( $int, $mustexist=false )

a big gotcha in PHP is it's confusion between 0, null, and an empty string.

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.