Posted Mar 30, 2006 14:51 UTC (Thu) by ccyoung
Parent article: SQL injection attacks
the function db_quote() for input filtering is in my experience inadequate.
what is needed is one filter function for each data type. this not only formats but does type checking. for example, db_get_string may not allow quotes and punctuation, whereas db_get_text might be more forgiving.
db_get_code( $code, $mustexist=false )
db_get_string( $str, $mustexist=false )
db_get_text( $text, $mustexist=false )
db_get_integer( $int, $mustexist=false )
a big gotcha in PHP is it's confusion between 0, null, and an empty string.
to post comments)