I've been reading a lot about how to safely process inputs taken from a form and insert them in a database, but its not clear for me if I'm doing it correctly yet. I'm trying to avoid all posible threats, including SQL injection and I'm uploading a file (image) directly into the database. I was wondering if anyone could help me out taking a look at my code. I'm using adodb active record to connect with my database, and php.
function insertar($post){
try {
$solicitud = new solicitud();
$solicitud->nombre = revisarInputTexto($post['nombre']." ".$post['apellido1']." ".$post['apellido2']);
$solicitud->residencia = revisarInputTexto($post['residencia']);
$solicitud->correo = revisarInputEmail($post['correo']);
$solicitud->genero = revisarInputTexto($post['genero']);
$solicitud->gradoacademicomaximo = revisarInputTexto($post['gradoacademico']);
$solicitud->experienciaprofesional = revisarInputTexto($post['experienciaprofesional']);
$solicitud->experienciadocente = revisarInputTexto($post['experienciadocente']);
$solicitud->unidadacademica = revisarInputTexto($post['unidad']);
if(isset($post['labora'])){
$solicitud->laboradoucr = true;
}else{
$solicitud->laboradoucr = false;
}
$solicitud->telefonos = revisarInputInt($post['telefono1'])."/".revisarInputInt($post['telefono2'])."/".revisarInputInt($post['telefono3']);
$solicitud->nacimiento = revisarInputInt($post['anno']);
$tmpName = $_FILES['cedula']['tmp_name'];
$size = $_FILES['cedula']['size'];
if(getimagesize($tmpName) && $size < 2048000){
$fp = fopen($tmpName, 'r');
$content = fread($fp, filesize($tmpName));
$content = addslashes($content);
fclose($fp);
$solicitud->fotoidentificacion = $content;
}else{
return false;
}
$solicitud->save();
} catch (ErrorException $e) {
return false;
}
return true;
}
function obtenerUnidades(){
$unidades = new unidadacademica();
$arreglo = $unidades->Find("1=1");
return $arreglo;
}
function revisarInputTexto($datos){
$datos = trim($datos);
$datos = filter_var($datos, FILTER_SANITIZE_STRING);
return $datos;
}
function revisarInputEmail($datos){
$datos = trim($datos);
$datos = filter_var($datos, FILTER_SANITIZE_EMAIL);
return $datos;
}
function revisarInputInt($datos){
$datos = trim($datos);
$datos = filter_var($datos, FILTER_SANITIZE_NUMBER_INT);
return $datos;
}
// Controlador
if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['accion'])){
if (insertar($_POST)){
$smarty->display('visitas-exito.tpl');
}
else{
$smarty->display('visitas-fallo.tpl');
}
}else{
$unidades = obtenerUnidades();
$smarty->assign('unidades', $unidades);
$smarty->display('visitas-formulario.tpl');
}
The Form I'm using is pretty standard, I established the fields I wanted as required and that's pretty much it.
The "controller" does some checking and then calls the method "insertar", where I create the active record object to insert in the database after processing the post inputs.