input filtering

Posted Mar 30, 2006 14:51 UTC (Thu) by ccyoung (guest, #16340)
Parent article: SQL injection attacks

the function db_quote() for input filtering is in my experience inadequate.

what is needed is one filter function for each data type. this not only formats but does type checking. for example, db_get_string may not allow quotes and punctuation, whereas db_get_text might be more forgiving.

db_get_code( $code, $mustexist=false )
db_get_string( $str, $mustexist=false )
db_get_text( $text, $mustexist=false )
...
db_get_integer( $int, $mustexist=false )

a big gotcha in PHP is it's confusion between 0, null, and an empty string.