Recently, I've been noticing a lot of misconceptions about how to protect code in 3pd extensions from SQL injection.  To be honest, using JRequest is not enough by far!!!  I hope to cover some thing here about some methods to prevent SQL attacks.  It's not that difficult; there are a few simple things you can do to prevent injection attacks.  I'll go through them one by one, and show some examples of each.

Force the type you want

Basically, if you are expecting an integer, force it to be an integer (or a float).  So, if you have a variable that you are expecting to be an integer, cast it to an integer... For example:

$sql = 'UPDATE #__mytable SET `id` = ' . (int) $int;

If you want to insert a date, then use JDate, and it'll give you back a valid mysql date each time...

$date =& JFactory::getDate($mydate); 
$sql = 'UPDATE #__mytable SET `date` = ' . $db->quote( $date->toMySQL(), false); 

ALWAYS escape your strings

Well, anytime you take a string from user input (I always escape everything from a variable, it's extra insurance), you should escape it using:

$sql = 'UPDATE #__mytable SET `string` = ' . $db->quote( $db->getEscaped( $string ), false ); 

Notice that we're using 2 functions there.  One escapes the string, and the other wraps it in quotes.  If you've noticed the second parameter for $db->quote() is false... If you leave that out, or set it to true, then it'll escape it for you.  So that string becomes:

$sql = 'UPDATE #__mytable SET `string` = ' . $db->quote( $string ); 

Prevent DOS attacks

In a where clause, if you use a LIKE command, you can have a DOS vulnerability by not escaping the special wildcard characters % and _.  Joomla has a facility to do this for you!  $db->getEscaped can take a second parameter which will escape those characters for you.  NOTE:  You only should escape these for strings used in a LIKE comparison.  So:

$sql = 'UPDATE #__mytable SET .... WHERE `string` LIKE '. 
              $db->quote( $db->getEscaped( $string, true ), false );

Preventing XSS Attacks

Most people just get data using JRequest::getVar()... But there are a whole bunch of other methods that exist which actually force type much better.  Here are some those methods:

For Integers:

$int = JRequest::getInt( $name, $default ); 

For Floats (decimals):

$float = JRequest::getFloat( $name, $default ); 

For boolean values (true/false):

$bool = JRequest::getBool( $name, $default ); 

For "words" (only allows alpha characters, and the _ character)

$word = JRequest::getWord( $name, $default ); 

For "commands" (Allows alpha characters, numeric characters, . - and _ )

$cmd = JRequest::getCMD( $name, $default );

For NON-HTML text (all HTML will be stripped)

$string = JRequest::getString( $name, $default ); 

For more information on Anthony, visit his profile page at community.joomla.org.