MySQL Injection Protection
I had to laugh.
While trolling Digg, I came across an article with no less than 750 diggs that said, rather briefly, to sanitize your database inputs, and mentioned mysql_real_escape_string() as his method.
Well, duh. You have that drilled into your head in tutorials and classes that deal with database interaction in programming: "if you're going to be using a database, find out how to sanitize your inputs *before* you figure out how to interface with the database"
That's a no brainer. Any programmer who's worth their salt knows to sanitize their input - and has, at one point or another forgotten to do so, or said, "Eh, I'll do it later; it looks cleaner this way while I'm developing it."
The real secret here is not to make sure you sanitize your inputs, but to build your application so that you don't *have* to.
Now, ideally, you'd be pretty far removed from the database itself - in fact, ideally, you'd be able to query your table rows via a class tailored for them.
I've never written a DB layer for that level of abstraction, but I have an idea for a new side-project now.
And if anyone is curious about what happened for my grand designs for this blog: I got a very time-consuming job. I'll keep on it, but for now, I have work to do.
