I’m writing a web application and i’m thinking about sql injections. I have created

Question

0

Asked: May 18, 20262026-05-18T01:03:49+00:00 2026-05-18T01:03:49+00:00

I’m writing a web application and i’m thinking about sql injections. I have created

0

I’m writing a web application and i’m thinking about sql injections.
I have created a database class that trough an array can makes everything, forgetting about escaping strings.
That class works likes that:

$db->q(array(
'SELECT' => 'username',
'FROM' => USERS_TABLE, 
'WHERE' => array('user_id' => 1)
));

In that function (db::q()) i check everything that got to be checked before creating the sql string and executing it.
By the way i think that it is not really needed. So i was thinking about just using a function request_var($name, 'POST'/'GET') that could get every $_POST and $_GET variables sent and escaping them so that i could just use:

$db->query("SELECT username FROM ".USERS_TABLE." WHERE user_id = 1");

. Is it enough? Should i use db::q() ? Should i use request_var() ? Should i use both?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-18T01:03:50+00:00

Editorial Team

2026-05-18T01:03:50+00:00Added an answer on May 18, 2026 at 1:03 am

It’s been my experience you don’t just do a blanket check on all POST/GET variables. I typically check at the time of creating the query for a couple reasons:

No excess overhead assuming it doesn’t make it to a query that time
I know what the data needs to look at when I know what column it’s going in (validate ints, strings, floats, etc.)

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m writing a web application and i’m thinking about sql injections. I have created

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply