Chapter 9: Security and Performance
279
‘name’ = > db_clean($_POST[‘name’],32) ,
‘status’ = > db_clean($_POST[‘status’],8)
);$this- > db- > insert(‘sizes’, $data);
}function updateSize(){
$data = array(
‘name’ = > db_clean($_POST[‘name’],32) ,
‘status’ = > db_clean($_POST[‘status’],8));$this- > db- > where(‘id’, id_clean($_POST[‘id’]) );
$this- > db- > update(‘sizes’, $data);
}function deleteSize($id){
$data = array(‘status’ = > ‘inactive’);
$this- > db- > where(‘id’, id_clean($id) );
$this- > db- > update(‘sizes’, $data);
}Securing the MSubscribers Model
The MSubscribers model is just as simple as MColors or MSizes. Here ’ s how you would secure the
updateSubscriber() function:function updateSubscriber(){
$data = array(
‘name’ = > db_clean($_POST[‘name’]) ,
‘email’ = > db_clean($_POST[‘email’])
);$this- > db- > where(‘id’, id_clean($_POST[‘id’]) );
$this- > db- > update(‘subscribers’, $data);
}The complete list of functions that need securing includes :getSubscriber()updateSubscriber()removeSubscriber()getSubscriber()Securing the CSV Import Functions
At the moment, the CSV import functions in the MProducts model aren ’ t very secure, in that they accept
any header provided in the spreadsheet as a valid column name. There is also no escaping being
performed on the data fields themselves.