Hello,
on 01/04/2005 11:40 PM diroddi said the following:
In reference to the Manual Lemos Form class, does anybody know if the
class does anything to prevent SQL injection attacks or provide any
kind of security by cleaning _POST variables?
Also, does anybody know of functions or classes that clean variables to
prevent SQL injection attacks or other security issues?
Yes, if you use the DiscardInvalidValues option you can tell the class
to discard values that are not considered valid.
For instance, if you are editing a database record and you need to pass
the record id which is usually an integer value, if an hacker tries to
spoof that value passing something like "0 ; DROP TABLE users;" and you
used ValidateAsInteger and DiscardInvalidValues, the class will ignore
the submitted value and restore the default value.
Anyway, SQL injection prevention should be mostly done at SQL execution
time. If you are deailing with text values, you should quote them
properly to escape any characters that have special meaning for your
database server.
Personally, I use Metabase as database abstraction package and so I am
always safe from SQL injection exploits as it comes with functions like
GetTextFieldValue() that do the appropriate quoting of text field values
when the query statments are composed. You can also use Metabase
prepared queries support that perform the necessary conversion or
quoting of data values where needed.
http://www.phpclasses.org/metabase
--
Regards,
Manuel Lemos
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
PHP Reviews - Reviews of PHP books and other products
http://www.phpclasses.org/reviews/
Metastorage - Data object relational mapping layer generator
http://www.meta-language.net/metastorage.html