Re: Recommendation for a MySql wrapper class

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, April 2, 2005 5:41 am, Ryan A said:
> so although this is new to me, I know there are a lot of PHP gurus on the
> list and i'm sure this is not new to them....I was hopeing someone could
> recommend a class they are using as I am starting a new project on monday
> and dont have the time to test each class before picking one (honest guys,
> there are a lot, you gotto browse them to belive it)
> I dont need anything fancy just something that gets the job done....safely
> and effectivly.

Here's the thing:

Depending on your DATA that *YOU* expect, you'll need different scrubbing
functions.

For example, if your script expects and ID (auto_increment) and a big ol'
blob of text for a bulletin board posting, you're going to scrub those two
COMPLETELY differently.

<?php
  $id = abs( (int) $_REQUEST['id'] );
  $text = mysql_escape_string($_REQUEST['text']);
?>

You could maybe find some kind of class/package that has some pre-defined
"types" of data and scrubbers to go through them, and you'd do something
like:

<?php
  $id = scrubber($id, 'int+'); //'int+' ==> postive integer
  $text = scrubber($text, 'mysql'); //'mysql' ==> MySQL data
?>

That ain't really gonna save you much, is it?

And keeping track of all those different kinds of possible data "types" to
scrub for is gonna be a real PAIN.

Plus, invariably, you'll have some kind of data where a good scrubbing is
not going to be covered by the available "types" in the scrubber function.

So, basically, you're probably best off really thinking about what you
*EXPECT* and *ALLOW* for each and every variable independently and just
coding that.

You can also do something like this:

<?php
  //This should be scrubbed, but not sure how much:
  $text = $_REQUEST['text'];
  //So, for now, let's see what FAILS my current test, but not actually
implement the scrubbing until we've tried it for awhile:
  if (preg_match('/[^a-zA-Z0-9]/', $text)){
    error_log("$text would have failed " . __FILE__ . " " . __LINE__);
  }
  $text = mysql_escape_string($text);
?>

Do some testing first with users you know and trust NOT to intentionally
sabotage you, then try to find some nasty things that you SHOULD be
catching, and play with the characters you *ACCEPT* until you're happy.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux