I had to laugh.
While trolling Digg, I came across an article with no less than 750 diggs that said, rather briefly, to sanitize your database inputs, and mentioned mysql_real_escape_string() as his method.
Well, duh. You have that drilled into your head in tutorials and classes that deal with database interaction in programming: "if you're going to be using a database, find out how to sanitize your inputs *before* you figure out how to interface with the database"
That's a no brainer. Any programmer who's worth their salt knows to sanitize their input - and has, at one point or another forgotten to do so, or said, "Eh, I'll do it later; it looks cleaner this way while I'm developing it."
The real secret here is not to make sure you sanitize your inputs, but to build your application so that you don't *have* to.
Now, ideally, you'd be pretty far removed from the database itself - in fact, ideally, you'd be able to query your table rows via a class tailored for them.
I've never written a DB layer for that level of abstraction, but I have an idea for a new side-project now.
And if anyone is curious about what happened for my grand designs for this blog: I got a very time-consuming job. I'll keep on it, but for now, I have work to do.
Sunday, October 21, 2007
I had to laugh.
Tuesday, October 2, 2007
I came across this site today. It's an educational research blog concerning liquid-flouride reactors that can burn Thorium-232, and produce very little radioactive product in its waste stream, and no trans-uranic nucleides whatsoever. What does that mean? No Yucca mountain, and finally, a *clean* energy source.
read more | digg story
at 11:00 AM