I'm writing a web application and i'm thinking about sql injections. I have created a database class that trough an array can makes everything, forgetting about escaping strings. That class works likes that:
$db->q(array(
'SELECT' => 'username',
'FROM' => USERS_TABLE,
'WHERE' => array('user_id' => 1)
));
In that function (db::q()) i check everything that got to be checked before creatin开发者_开发百科g the sql string and executing it.
By the way i think that it is not really needed. So i was thinking about just using a function request_var($name, 'POST'/'GET')
that could get every $_POST and $_GET variables sent and escaping them so that i could just use:
$db->query("SELECT username FROM ".USERS_TABLE." WHERE user_id = 1");
. Is it enough? Should i use db::q()
? Should i use request_var()
? Should i use both?
You need to ensure you escape strings using the appropriate function for your database. For example, by using pg_escape_string
to escape string values prior to inserting them into the database.
From your code snippet, it looks like you are accepting tables names as part of a GET / POST? Why does your front-end need to know about your database tables? Such knowledge should generally only be required of server-side code.
It's been my experience you don't just do a blanket check on all POST/GET variables. I typically check at the time of creating the query for a couple reasons:
- No excess overhead assuming it doesn't make it to a query that time
- I know what the data needs to look at when I know what column it's going in (validate ints, strings, floats, etc.)
精彩评论