Sunday, October 21, 2007

MySQL Injection Protection

I had to laugh.

While trolling Digg, I came across an article with no less than 750 diggs that said, rather briefly, to sanitize your database inputs, and mentioned mysql_real_escape_string() as his method.

Well, duh. You have that drilled into your head in tutorials and classes that deal with database interaction in programming: "if you're going to be using a database, find out how to sanitize your inputs *before* you figure out how to interface with the database"

That's a no brainer. Any programmer who's worth their salt knows to sanitize their input - and has, at one point or another forgotten to do so, or said, "Eh, I'll do it later; it looks cleaner this way while I'm developing it."

The real secret here is not to make sure you sanitize your inputs, but to build your application so that you don't *have* to.

Now, ideally, you'd be pretty far removed from the database itself - in fact, ideally, you'd be able to query your table rows via a class tailored for them.

I've never written a DB layer for that level of abstraction, but I have an idea for a new side-project now.

And if anyone is curious about what happened for my grand designs for this blog: I got a very time-consuming job. I'll keep on it, but for now, I have work to do.

No comments: