Help improving / reviewing some PHP code

Xelene · 22 Jun 2010 at 11:13

UncleRuckus said:
Thanks suarve, would you say that the validation is meant to replace mysqli_real_escape_string?

No.

You should use both, never trust any data coming into your code - whether it's from the request or the database.

Filter everything coming in the $_REQUEST global, and then filter everything going into the database - the database knows best how to escape special chars for itself, so use that functionality.

UncleRuckus · 22 Jun 2010 at 14:19

sldsmkd said:
No.

You should use both, never trust any data coming into your code - whether it's from the request or the database.

Filter everything coming in the $_REQUEST global, and then filter everything going into the database - the database knows best how to escape special chars for itself, so use that functionality.

The reason I ask is because the new function filter_var() plus the mysqli_real_escape_string is adding slashes twice. So are you saying I we should disable slashes on filter_var() and use mysqli_real_escape_string() instead??

Xelene · 22 Jun 2010 at 18:25

UncleRuckus said:
The reason I ask is because the new function filter_var() plus the mysqli_real_escape_string is adding slashes twice. So are you saying I we should disable slashes on filter_var() and use mysqli_real_escape_string() instead??

Correct. If in the future you decide to migrate away from MySQL to another database that handles escape chars differently, or an Object store then it makes little sense to have the string escaped. Additionally, if you want to manipulate the string before it goes to the DB then you probably don't want to premanupulate it short of validation.

I wrote some DB and Filter classes for when Filter and Prepare/PDO weren't available on the Server. http://smkd.net/repos/smkd - they need some work mind.

UncleRuckus · 22 Jun 2010 at 20:12

sldsmkd said:
Correct. If in the future you decide to migrate away from MySQL to another database that handles escape chars differently, or an Object store then it makes little sense to have the string escaped. Additionally, if you want to manipulate the string before it goes to the DB then you probably don't want to premanupulate it short of validation.

I wrote some DB and Filter classes for when Filter and Prepare/PDO weren't available on the Server. http://smkd.net/repos/smkd - they need some work mind.

Thank you for clarifying that chap

Xelene · 22 Jun 2010 at 22:02

Missed a part on the URL, the code is available at http://smkd.net/repos/smkd/trunk/ - it needs some tidying up to work tho.

UncleRuckus · 25 Jun 2010 at 23:15

Thanks fella

I have been looking into PDO I think I am going to migrate over to it, I am right in thinking it's impossible for SQL attacks using it?

Also OP, how are you getting on?