Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Here’s an example wrapper for an SQL query
public function where ($col, $val)
{
if (!preg_match('~^[a-z0-9_]+$~i', $col))
throw new Exception('Invalid parameter $col');
$this->where.= "WEHERE $col = :$col";
}
Is this quite overkill since regex is probably using resources.
Note I am actually using this to wrap PDO (notice the colon in :$col).
If
$colcan be specified through user input then this is not overkill but rather your only defense against SQL injection.If
$colis known safe (for example your code produces its value with aswitchstatement) then it’s probably not worth it to include the runtime check. But you should take into account the possibility of the “known safe” status changing as the program is maintained in the future.