Matthew Weir O'Phinney has posted one of his own security tips to the Zend Developer Zone today involving the use of a database abstraction layer to help prevent SQL injections in your application.
SQL injections are a common vulnerability in web-based applications that use databases. [...] There are several methods to prevent this type of attack.
He gives three helpful hints for SQL injection prevention:
- Use your database extension's quoting mechanism to quote values prior to executing a query
- Use PDO's prepared statements support
- Use a database abstraction layer (DAL), such as AdoDB, PEAR::MDB2, or Zend_Db.