Pear DB_DataObject and input cleaning

Question

I normally use a function of my own to clean input before adding the values inside a query to prevent sql-injections. I also use pear DB_DataObject.

I read somehere that DB_DataObject cleans the input itself. Is this true? Can i assign uncleaned input to a DB_DataObject object? (What about mysql_real_escape_string?, i get an error using it in combination with DB_DataObject because no connection with the DB is established yet)

Also i'm curious how other people clean there input. Is there a best-practice?

Answer 1

DB_DataObject sanitizes inputs passed on the "->set*" methods, e.g.

Assuming User to be a DB_DataObject, the following would all be safe:

 
$user = new User;
$user->firstName = $_REQUEST['first'];
$user->setFirstName($_REQUEST['first'];
$user->setFrom($_REQUEST);

Any method that you actually pass in fragments of SQL are not safe, things like:

$user->selectAs($_REQUEST['col']. ', first as name');
$user->whereAdd("first=$_REQUEST['first]");

Hope that clarifys things a bit...