Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is there a way to configure mysql or php so that in queries, data values are escaped automatically? I’ve read about PDO and that Zend Framework, for example, has some Database-Adapters that do it automatically – but on the server side, isn’t there any configuration that can be done to avoid having to take care of it in the code?
Thanks,
David
Not really, no. This has been tried – the result was a terrible mess that everyone hates now.
There is no “magic function” to make a query safe – every argument you pass to the query needs to be sanitized differently (like strings vs. integers). Some things (like dynamic table and column names) can’t be sanitized at all (not even using the database library’s string escaping method), so you need to compare them against a list of the existing tables and columns.
Using PDO’s prepared statements (or the Zend Framework database functions, which AFAIK wrap PDO among others) is the closest you can get to doing as little as possible.