Sunday, 15 January 2012

php - Is it OK to allow sometimes dynamic SQL without sanitization? -


On my PHP project, my practice is always to make the integer values ​​in dynamic SQL always sanitary.

Whenever possible, Used queries but for the update and delete conditions, the Zend_Db_Adapter requires a non-parameterized SQL string. This is the reason why I always write something without thinking:

  $ db-> Delete ('table_foo', 'id ='. Intval ($ obj- & gt; get_id ()));  

Which is equivalent, but it has a smaller version (I have checked the ZF source code):

  $ db- & gt; Remove ('table_foo', $ db-> qouteInto ('id =?', $ Obj- & gt; get_id (), 'INTEGER'));  

My partner strongly recommends this intval () , saying that if the $ obj id is empty (the object is still hidden) DB is not saved), I will not report an error, and the DB operation will only be executed quietly. That's exactly what happened to them.

He says that if we sanitize all the HTML form inputs then there can be no way that an integer ID may possibly come in ; Drop table ... ', or ' or 1 = 1 ', or other dirty value, and put in our SQL queries. In this way, I am just crazy, and our life is becoming more complex than unnecessarily. "They say," Stop relying on values ​​of $ _ session . "

However, for the string values ​​of the terms it agrees:

  $ db- & gt; Update-> ('table_foo', $ column, 'String_column_bar ='. $ Db-> qoute ($ string_value)));  

I failed to prove it wrong, and he failed to prove me wrong. What can you do?

Why do you bother more:

  • After tracking a bug that did not cause the failed SQL query.
  • Saini After making a mistake in the ring, after restoring the data and using it to take advantage of it.

Whatever you choose, your answer is personally,

If anything, then you can do both: create your own function which first checks for zero and then intval () < / Code>, and instead use it then you both world .


No comments:

Post a Comment