Re: Securing DB transactions with user form input

Do placeholders make the use of a regular expression for validating if the data being used in the SQL statement is correctly formed,not necessary? ie to make sure that the parameter passed in is of the correct format like a 2 digit integer value?

Comment on Re: Securing DB transactions with user form input

Replies are listed 'Best First'.
Re^2: Securing DB transactions with user form input by kyle (Abbot) on Feb 04, 2008 at 17:25 UTC
That depends on what you're trying to protect against. If you're worried about security problems, then using placeholders will be enough. If you're worried about data constraints, then you still need to check your parameters. If the database allows a value that you don't want in it, you'll have to validate the user input to ensure that. If the user tries to pass in a value that the database does not allow (a string rather than a number, for example), then the database will throw out an error when you try to put that in. Either way, some kind of validation before the data reaches the database could save you one headache or another.	[reply]

Replies are listed 'Best First'.

Re^2: Securing DB transactions with user form input
by kyle (Abbot) on Feb 04, 2008 at 17:25 UTC

That depends on what you're trying to protect against.

If you're worried about security problems, then using placeholders will be enough.

If you're worried about data constraints, then you still need to check your parameters. If the database allows a value that you don't want in it, you'll have to validate the user input to ensure that. If the user tries to pass in a value that the database does not allow (a string rather than a number, for example), then the database will throw out an error when you try to put that in. Either way, some kind of validation before the data reaches the database could save you one headache or another.

[reply]