You are here: Re: [PHP] Recommendation for a MySql wrapper class « PHP « IT news, forums, messages
Re: [PHP] Recommendation for a MySql wrapper class

Posted by Richard Lynch on 04/06/05 06:49

On Sat, April 2, 2005 5:41 am, Ryan A said:
> so although this is new to me, I know there are a lot of PHP gurus on the
> list and i'm sure this is not new to them....I was hopeing someone could
> recommend a class they are using as I am starting a new project on monday
> and dont have the time to test each class before picking one (honest guys,
> there are a lot, you gotto browse them to belive it)
> I dont need anything fancy just something that gets the job done....safely
> and effectivly.

Here's the thing:

Depending on your DATA that *YOU* expect, you'll need different scrubbing
functions.

For example, if your script expects and ID (auto_increment) and a big ol'
blob of text for a bulletin board posting, you're going to scrub those two
COMPLETELY differently.

<?php
$id = abs( (int) $_REQUEST['id'] );
$text = mysql_escape_string($_REQUEST['text']);
?>

You could maybe find some kind of class/package that has some pre-defined
"types" of data and scrubbers to go through them, and you'd do something
like:

<?php
$id = scrubber($id, 'int+'); //'int+' ==> postive integer
$text = scrubber($text, 'mysql'); //'mysql' ==> MySQL data
?>

That ain't really gonna save you much, is it?

And keeping track of all those different kinds of possible data "types" to
scrub for is gonna be a real PAIN.

Plus, invariably, you'll have some kind of data where a good scrubbing is
not going to be covered by the available "types" in the scrubber function.

So, basically, you're probably best off really thinking about what you
*EXPECT* and *ALLOW* for each and every variable independently and just
coding that.

You can also do something like this:

<?php
//This should be scrubbed, but not sure how much:
$text = $_REQUEST['text'];
//So, for now, let's see what FAILS my current test, but not actually
implement the scrubbing until we've tried it for awhile:
if (preg_match('/[^a-zA-Z0-9]/', $text)){
error_log("$text would have failed " . __FILE__ . " " . __LINE__);
}
$text = mysql_escape_string($text);
?>

Do some testing first with users you know and trust NOT to intentionally
sabotage you, then try to find some nasty things that you SHOULD be
catching, and play with the characters you *ACCEPT* until you're happy.

--
Like Music?
http://l-i-e.com/artists.htm

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация