views:

79

answers:

1

Do you know of any open source library or framework that can perform some basic validation and escaping functionality for a MySQL Db.

i envisage something along the lines of:

//give it something to perform the quote() quoteInto() methods
$lib->setSanitizor($MyZend_DBAdaptor); 

//tell it structure of the table - colnames/coltypes/ etc
$lib->setTableDescription($tableDescArray); 

//use it to validate and escape according to coltype 
foreach ($prospectiveData as $colName => $rawValue)
if ( $lib->isValid($colName, $rawValue))
 {
 //add it to the set clause
 $setValuesArray[$lib->escapeIdentifier($colName)] = $lib->getEscapedValue($colName,$rawValue);
 }
else {
 throw new Exception($lib->getErrorMessage());
 }

etc...

I have looked into - Zend_Db_Table (which knows about a table's description), and - Zend_Db_Adaptor (which knows how to escape/sanitize values depending on TYPE)

but although they can sanitize, they do not automatically do any clever validation stuff before updates/inserts

Anyone know of a good PHP library to preform this kind of validation that I could use rather than writing my own?

i envisage alot of this kind of stuff:

   ...  
   elseif (eregi('^INT|^INTEGER',$dataset_element_arr[col_type]))
    {
    $datatype='int';

    if (eregi('unsigned',$dataset_element_arr[col_type]))
        {
        $int_max_val=4294967296;
        $int_min_val=0;
        }
    else    {
        $int_max_val=2147483647;
        $int_min_val=-2147483648;
        }
    }

(p.s I know eregi is deprecated - its just an example of laborious code)

+1  A: 

I wrote a lot of the code in Zend_Db.

The code doesn't do a lot of sanitizing or escaping in update/insert because it uses query parameters. You don't need to worry about SQL injection if you pass dynamic values to the query using parameters.

See my answer to avoiding MySQL injections with the Zend_Db class for more details.

MySQL also supports some datatypes like BIGINT that are larger than PHP integers, so you have to represent them in PHP strings instead. Then there are MySQL DATE values and so on. It's better to just validate the values by inserting them into the database and coping with any exceptions.

Bill Karwin
Thanks Bill. I'm just skimming thru that link that you refer to. Its a really nice snippet. Handy to see all the rules in one place - worth turning into a blog article I think.With regards to my question - the santization aspect is covered well. I'm mainly looking for some kind of 'validation' methods to go with it. As for all contributors, thanks for all your efforts on ZF.
JW
I've just read the second part of your answer. Yes, I will look into the idea of 'suck-it-and-see approach' /'trying and catching Exceptions'
JW
While I have got your attention, Bill - Just looking at the quote types for class Zend_Db and noticed the const INT_TYPE is assigned the value '0'it almost caught me out when trying to write a mapper that says "if ($colDesc->getQuoteType()) ..." anyway, without wishing to launch too much of a discussion off ZF site... just wondering if there is any reason why Zend_Db::INT_TYPE should have a boolean false value?
JW
No reason except that ordinals traditionally begin with 0, and I never thought anyone would use it like you're using it.
Bill Karwin