Lemos form class

In article <11**********************@c13g2000cwb.googlegroups .com>,
"diroddi" <ja***@diroddi.com> wrote:

In reference to the Manual Lemos Form class, does anybody know if the
class does anything to prevent SQL injection attacks or provide any
kind of security by cleaning _POST variables?

Also, does anybody know of functions or classes that clean variables to
prevent SQL injection attacks or other security issues?

Thanks

Well, you have the code. Why not read it and figure that out for
yourself? Such exploits allow unvalidated data to be entered into
fields on a web form and inserted directly into a MySQL database. To
prevent that, you strip various things out like all HTML and Javascript.
You also "escape" various things like single and double quotes.

Does his code do this? What would you need to modify to add this
enhancment?

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Hello,

on 01/04/2005 11:40 PM diroddi said the following:

In reference to the Manual Lemos Form class, does anybody know if the
class does anything to prevent SQL injection attacks or provide any
kind of security by cleaning _POST variables?

Also, does anybody know of functions or classes that clean variables to
prevent SQL injection attacks or other security issues?

Yes, if you use the DiscardInvalidValues option you can tell the class
to discard values that are not considered valid.

For instance, if you are editing a database record and you need to pass
the record id which is usually an integer value, if an hacker tries to
spoof that value passing something like "0 ; DROP TABLE users;" and you
used ValidateAsInteger and DiscardInvalidValues, the class will ignore
the submitted value and restore the default value.

Anyway, SQL injection prevention should be mostly done at SQL execution
time. If you are deailing with text values, you should quote them
properly to escape any characters that have special meaning for your
database server.

Personally, I use Metabase as database abstraction package and so I am
always safe from SQL injection exploits as it comes with functions like
GetTextFieldValue() that do the appropriate quoting of text field values
when the query statments are composed. You can also use Metabase
prepared queries support that perform the necessary conversion or
quoting of data values where needed.

http://www.phpclasses.org/metabase
--

Regards,
Manuel Lemos

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

PHP Reviews - Reviews of PHP books and other products
http://www.phpclasses.org/reviews/

Metastorage - Data object relational mapping layer generator
http://www.meta-language.net/metastorage.html

Manuel Lemos wrote:

Personally, I use Metabase as database abstraction package and so I am
always safe from SQL injection exploits as it comes with functions like
GetTextFieldValue() that do the appropriate quoting of text field values
when the query statments are composed. You can also use Metabase
prepared queries support that perform the necessary conversion or
quoting of data values where needed.

http://www.phpclasses.org/metabase

I had used Metabase for a while as well and found it to be quite easy to
use. I have recently (in the last year or so) switched over to PEAR::MDB
simply because it is part of PEAR and I don't have to copy its code to
each site I host. Since that is so close to Metabase as far as API is
concerned, there was very little learning curve or porting effort. All
in all, both projects are well planned and are only missing a few
features that I could have used at one point. (I have yet to search in
MDB for previous missing features...)

--
Justin Koivisto - ju****@koivi.com
http://www.koivi.com

Hello,

on 01/05/2005 01:52 PM Justin Koivisto said the following:

Personally, I use Metabase as database abstraction package and so I am
always safe from SQL injection exploits as it comes with functions
like GetTextFieldValue() that do the appropriate quoting of text field
values when the query statments are composed. You can also use
Metabase prepared queries support that perform the necessary
conversion or quoting of data values where needed.

http://www.phpclasses.org/metabase

I had used Metabase for a while as well and found it to be quite easy to
use. I have recently (in the last year or so) switched over to PEAR::MDB
simply because it is part of PEAR and I don't have to copy its code to
each site I host. Since that is so close to Metabase as far as API is
concerned, there was very little learning curve or porting effort. All
in all, both projects are well planned and are only missing a few
features that I could have used at one point. (I have yet to search in
MDB for previous missing features...)

That is because MDB is just a PEARified version of Metabase! ;-)

MDB was meant to be a transition from PEAR::DB to Metabase as it provide
a compatible API, so PEAR::DB users can benefit from true database
independence provided by Metabase without having change their database
calls too much.

If you were using Metabase you probably did not gain anything except
some work in changing your database calls in your applications. From
what I could understand from Lukas work MDB is being deprecated in
favour MDB2 which breaks compatibility with MDB.
--

Regards,
Manuel Lemos

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

PHP Reviews - Reviews of PHP books and other products
http://www.phpclasses.org/reviews/

Metastorage - Data object relational mapping layer generator
http://www.meta-language.net/metastorage.html