The fastest easiest way to get it right.
Manual SQLDatabase Reads with SQL_AllRows

Manual SQL Precautions

Andromeda has a few simple functions that can eliminate hand-coding of SQL in most situations. However, it is often simpler and easier to just type in a few manual SQL commands -- especially when doing SELECTS.

In the modern world we must take precautions against a variety of threats when coding SQL, though most of them come down to preventing SQL Injection.

Andromeda is (Mostly) Immune to SQL Injection

Andromeda is structurally immune to the most common types of SQL Injection and Andromeda is immune to the worst consequences of SQL Injection. If a public surfer manages to slip a ";delete from customers" snippet past both your application and the framework code, nothing will happen if that user is not allowed to delete from the customers table. And if they are allowed to delete from the customers table (not likely for a public user, but possible for an admin) then they have gone to some work to do by stealth what they are perfectly welcome to do through the admin screens anyway.

So we say that Andromeda is structurally immune to SQL Injection because:

  • Just because a hacker might get an injection past our code, does not mean the database server will allow it.
  • Any injection that does get past will only be doing what the user is allowed to do anyway.

Formatting Variables

There is never any reason to be cavalier when programming, especially where security is concerned. Even if the Andromeda authors claim the framework is immune, it pays to be paranoid.

When coding a SQL command from variables that come from the browser, the variables should always be escaped. Andromeda provides three simple functions for this: 

<?php
class x6example extends androX6 {
    function x6main() {
        # The SQLFD() formats a value as a date, suitable
        # for interpolation into a SQL command
        $date = SQLFD(gp('date'));

        # The SQLFC() and SQLFN() functions respectively
        # format values as characters and numbers, all
        # properly escaped and quoted and ready for
        # PHP string interpolation
        $name = SQLFC(gp('name'));
        $age  = SQLFN(gp('age'));
        
        # With our escaped variables, we are ready
        # to safely make up a SQL string
        $sql = "SELECT * 
                  FROM example
                 WHERE name = $name
                   AND date >= $date
                   AND age >= $age";
    }
}
?>
Manual SQLDatabase Reads with SQL_AllRows

User Comments

There are no user comments yet on this page.

Add A Comment

Comments will not appear until after they are moderated. Comments are usually moderated within a few hours on weekdays, but may take longer on weekends and holidays.

Name or nickname: (This will appear with your comment)


Email (this will never be displayed)


Enter your comment here. Use [b] and [/b] for bold, [i] and [/i] for italic, and [pre] and [/pre] for code samples. All literal HTML and PHP that you enter will be escaped out and displayed as you enter it.


Home |  Documentation |  Download |  Credits |  Contact |  Login
Andromeda © Copyright 2004-2010, Licensed under the GPL Version 2