Search code examples

Secure Form insert in database php

I've been reading a lot about how to safely process inputs taken from a form and insert them in a database, but its not clear for me if I'm doing it correctly yet. I'm trying to avoid all posible threats, including SQL injection and I'm uploading a file (image) directly into the database. I was wondering if anyone could help me out taking a look at my code. I'm using adodb active record to connect with my database, and php.

    function insertar($post){           
        try {
            $solicitud = new solicitud();
            $solicitud->nombre = revisarInputTexto($post['nombre']." ".$post['apellido1']." ".$post['apellido2']);
            $solicitud->residencia = revisarInputTexto($post['residencia']);
            $solicitud->correo = revisarInputEmail($post['correo']);
            $solicitud->genero = revisarInputTexto($post['genero']);
            $solicitud->gradoacademicomaximo = revisarInputTexto($post['gradoacademico']);
            $solicitud->experienciaprofesional = revisarInputTexto($post['experienciaprofesional']);
            $solicitud->experienciadocente = revisarInputTexto($post['experienciadocente']);
            $solicitud->unidadacademica = revisarInputTexto($post['unidad']);

                $solicitud->laboradoucr = true;
                $solicitud->laboradoucr = false;

            $solicitud->telefonos = revisarInputInt($post['telefono1'])."/".revisarInputInt($post['telefono2'])."/".revisarInputInt($post['telefono3']);
            $solicitud->nacimiento = revisarInputInt($post['anno']);

            $tmpName  = $_FILES['cedula']['tmp_name'];
            $size = $_FILES['cedula']['size'];

            if(getimagesize($tmpName) && $size < 2048000){
                $fp      = fopen($tmpName, 'r');
                $content = fread($fp, filesize($tmpName));
                $content = addslashes($content);
                $solicitud->fotoidentificacion = $content;
                return false;

        } catch (ErrorException $e) {               
            return false;
        return true;

    function obtenerUnidades(){
        $unidades = new unidadacademica();
        $arreglo = $unidades->Find("1=1");
        return $arreglo;

    function revisarInputTexto($datos){
        $datos = trim($datos);
        $datos = filter_var($datos, FILTER_SANITIZE_STRING);
        return $datos;

    function revisarInputEmail($datos){
        $datos = trim($datos);
        $datos = filter_var($datos, FILTER_SANITIZE_EMAIL);
        return $datos;

    function revisarInputInt($datos){
        $datos = trim($datos);
        $datos = filter_var($datos, FILTER_SANITIZE_NUMBER_INT);
        return $datos;

    // Controlador
    if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['accion'])){
            if (insertar($_POST)){
        $unidades = obtenerUnidades();
        $smarty->assign('unidades', $unidades);

The Form I'm using is pretty standard, I established the fields I wanted as required and that's pretty much it.

The "controller" does some checking and then calls the method "insertar", where I create the active record object to insert in the database after processing the post inputs.


  • If the method you're using to perform the actual database queries prevents SQL injection, then you don't need to sanitize the input. There's no harm in it, but it's redundant.