So you think your web-app is secure? #2
December 17th, 2007input data related to DB (SQL injections, wrong unexpected data..)
SQL injections threat is system wide and is best to be solved on a systematic level on all the communication with the database. We use PHP PEAR DB’s quoteSmart on all the queries. In addition all function in our database level have explicit checking for type of input variables and script is stopped if it doesn’t match.
An example of such back-end function is:
function getItemsOfMusic($musicId)
{
Validator::mustBeInt($musicId);
return $this->db->selectRows(array(
'from' =>'abt_music_items',
'where'=>"id_musics = $musicId",
'order'=>'sort, is_set, name'));
}
All this fuss about SQL injections in a little stupid with php+mysql anyway since the core function (mysql_query) doesn’t support multiple queries anyway and you need that I think to do SQL injection.