I'm not sure exactly what kind of sanitization you think you're doing, but
if all you do is check to see if it's empty (empty() implements isset(),
empty() checks to see if it's set, then if it evaluates to an empty
variable), that's not much sanitization.
What you need to do is check for SQL injections, which means you need to
sanitize GPC (GET, POST, COOKIES) to prevent the following (only a
demonstration):
SELECT `colname` FROM `tablename` WHERE id='$variable' LIMIT 0,10
What happens if $variable is equal to:
$variable = $_POST['somedata'];
And $_POST['somedata'] ~ " 'INSERT INTO users
VALUES('name','password','AdminGroup')' ";
This is an example of a possible SQL injection (which means unknown SQL code
is running through your script access). The way to prevent this is to escape
single quotes before insert/select, and also turn all html entities into
escaped values (so that someone cannot put a <script></script> block into
the signature for their user, for example).
The good thing is, there are numerous help sites online that describe how to
do this. Generally, you're better off wrapping your SQL commands into a
class or at least a series of functions, so that you can implement your
sanitization once and use it for all database interactions.
Google: http://www.google.com/search?q=php+sanitize+sql+statement
PHP.net: http://www.php.net/manual/en/security.database.sql-injection.php
--
Jared Farrish
Intermediate Web Developer
Denton, Tx
Abraham Maslow: "If the only tool you have is a hammer, you tend to see
every problem as a nail." $$
