I normally开发者_如何学运维 use a function of my own to clean input before adding the values inside a query to prevent sql-injections. I also use pear DB_DataObject.
I read somehere that DB_DataObject cleans the input itself. Is this true? Can i assign uncleaned input to a DB_DataObject object? (What about mysql_real_escape_string?, i get an error using it in combination with DB_DataObject because no connection with the DB is established yet)
Also i'm curious how other people clean there input. Is there a best-practice?
DB_DataObject sanitizes inputs passed on the "->set*" methods, e.g.
Assuming User to be a DB_DataObject, the following would all be safe:
$user = new User;
$user->firstName = $_REQUEST['first'];
$user->setFirstName($_REQUEST['first'];
$user->setFrom($_REQUEST);
Any method that you actually pass in fragments of SQL are not safe, things like:
$user->selectAs($_REQUEST['col']. ', first as name');
$user->whereAdd("first=$_REQUEST['first]");
Hope that clarifys things a bit...
精彩评论