Sanitize Your Inputs!

We have all heard the term "SQL Injection" before which is loosely defined as a code injection technique that exploits a security vulnerability in the database. So how do we protect against these types of attacks? Sanitize all incoming data that is going to be used in a database. There are a lot of good articles explaining why this is important (actually critical) to software development so rather than diving into all of that I am going to cut to the chase and share a function that I wrote a while back that I use w/ every data insertion routine.

The $_POST[] array is passed to the function and each and every value is sanitized and a subsequent array is then returned to the caller. All references to data elements going into the database should point to the array returned by this function, not the original $_POST[] array. At my day job we see upwards of 10,000 - 12,000 hack attempts a month, many of which are SQL injections so if you think you can get lazy about sanitization, think again.

In closing one of my favorite web comics, XKCD really does a great job of highlighting the risks of not sanitizing your inputs.