|
|
Posted by Toby A Inkster on 02/12/07 16:01
JM Ivler wrote:
> In other words, is there a good reason why I shouldn't have a function
> that walks through the POST[] and GET[] arrays and processes the
> mysql_real_escape_string() function against the data in order to ensure
> that there will be no attempts to do an SQL inject?
Yes -- firstly there may be (often is) things in those arrays that you
don't have any intention of putting into a database, and ,ay wish to do
something else with instead. Running mysql_real_escape_string on them is
annoying when you try to use the variable for something else, and also a
waste of CPU time.
Secondly, many values can be sanitised using other methods that are less
CPU-intensive. For example, if you have a string that you need to insert
into a database, and you know that this string must consist of
alphanumeric characters only, then you can sanitise it like this:
$var = preg_match('/[^A-Za-z0-9]/', '', $var);
If you have a variable you know should be an integer:
$var = (int)$var;
and so on. mysql_real_escape_string() (and the equivalent functions for
the better databases ;-) ) should only be used when you know that you
couldn't do a better job of sanitising the data yourself.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
* = I'm getting there!
Navigation:
[Reply to this message]
|