|
Posted by JM Ivler on 02/13/07 01:11
Erwin Moller wrote:
> JM Ivler wrote:
>
>> Is there really any time when I don't want to run every _POST and _GET
>> through mysql_real_escape_string() before I use that data in accessing
>> the database?
>
> Well, if ALL your data posted to you in the form is ment to be inserted in a
> mySQL database, then it comes in handy, maybe.
> If the data is ment for anything else, it should be treated that way.
Actually, what happened was I wrote a simple and fast "user login
validation" and a VERY NICE person pointed out that I had fallen into
the 'or 1=1-- trap. Throughout the balance of the application I had been
very careful, but this quick and dirty add on... OY!
In general I create all variables I will be using in a declarative
"init" on each module and I will most likely just create a new "load
data" function where I pass it the names of the variables to be cleaned,
and they get processed to clean for the database.
I agree, overkill is not necessary, but developing a series of good
habits (like modular coding, etc) works well. Just like using globals on
is not recommended, having a nice way to clean up POST and GET code that
you are using is a good habit to get into.
[Back to original message]
|