First, thanks guys for such a fast response :)
Matthew Weier O'Phinney wrote:
While the above would prevent most SQL injections, it could still wreak
havoc with your database. For instance, what if your 'phone' or 'zip'
fields in your database are integer fields, and text gets passed from
the form? (answer: a failed DB call) Or you get a string of random
characters for the email? do you really want that in your DB?
I didn't mention anything about validating email address, zip code and
such a things, because it is not the issue. but, you are definitlly
right about how important are those.
Regarding your original question, the reason Chris S. keeps things in an
array is so that all CLEAN (i.e. valid and/or secure) data is marked as
such in a single place. Additionally, it allows you to do things like
validating your $_POST array by looping over it:
$clean = array();
foreach ($_POST as $key => $val) {
$ok = false;
switch ($key) {
case 'name':
if (ctype_alnum($val)) {
$ok = true;
}
break;
case 'address':
if (preg_match('/^[ a-z0-9.\'\"#-]+$/', $val)) {
$ok = true;
}
break;
// etc.
}
if ($ok) {
$clean[$key] = $val;
}
}
I agree with this one. It's definitlly more "clean" solution. :)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
