开发者

Use a db class of just check get and post variables?

开发者 https://www.devze.com 2023-01-23 11:34 出处:网络
I\'m writing a web application and i\'m thinking about sql injections. I have created a database class that trough an array can makes everything, forgetting about escaping strings.

I'm writing a web application and i'm thinking about sql injections. I have created a database class that trough an array can makes everything, forgetting about escaping strings. That class works likes that:

$db->q(array(
'SELECT' => 'username',
'FROM' => USERS_TABLE, 
'WHERE' => array('user_id' => 1)
));

In that function (db::q()) i check everything that got to be checked before creatin开发者_开发百科g the sql string and executing it. By the way i think that it is not really needed. So i was thinking about just using a function request_var($name, 'POST'/'GET') that could get every $_POST and $_GET variables sent and escaping them so that i could just use:

$db->query("SELECT username FROM ".USERS_TABLE." WHERE user_id = 1");

. Is it enough? Should i use db::q() ? Should i use request_var() ? Should i use both?


You need to ensure you escape strings using the appropriate function for your database. For example, by using pg_escape_string to escape string values prior to inserting them into the database.

From your code snippet, it looks like you are accepting tables names as part of a GET / POST? Why does your front-end need to know about your database tables? Such knowledge should generally only be required of server-side code.


It's been my experience you don't just do a blanket check on all POST/GET variables. I typically check at the time of creating the query for a couple reasons:

  1. No excess overhead assuming it doesn't make it to a query that time
  2. I know what the data needs to look at when I know what column it's going in (validate ints, strings, floats, etc.)
0

精彩评论

暂无评论...
验证码 换一张
取 消