|
|
Posted by Raj Shekhar on 03/27/05 19:34
<tg-php@gryffyndevelopment.com> writes:
>
> So if I could broaden the question and ask, in general, what people
> recommend for pre-processing data before it goes into a SQL
> statement.. for security and for things like making sure
> singlequotes and other special characters are escaped properly?
>
>
> htmlentities()
> addslashes() (if magic quotes isn't turned on right?)
>
> What else?
>
Using some sort of database abstraction library (Pear::Db, Aoddb) also
helps. At least Adodb escapes the slashes in a SQL statement before
it is sent for execution. Using a library also provides a choke point
and you can add your own additional checks in the library without
letting the developers worry if they have done all the checks and
validations correctly.
--
Raj Shekhar Y! : Operations Engineer
MySQL DBA, programmer and slacker Y!IM : lunatech3007
home : http://rajshekhar.net blog : http://rajshekhar.net/blog/
Navigation:
[Reply to this message]
|