Secure Form insert in database php

Question

I've been reading a lot about how to safely process inputs taken from a form and insert them in a database, but its not clear for me if I'm doing it correctly yet. I'm trying to avoid all posible threats, including SQL injection and I'm uploading a file (image) directly into the database. I was wondering if anyone could help me out taking a look at my code. I'm using adodb active record to connect with my database, and php.

    function insertar($post){           
        try {
            $solicitud = new solicitud();
            $solicitud->nombre = revisarInputTexto($post['nombre']." ".$post['apellido1']." ".$post['apellido2']);
            $solicitud->residencia = revisarInputTexto($post['residencia']);
            $solicitud->correo = revisarInputEmail($post['correo']);
            $solicitud->genero = revisarInputTexto($post['genero']);
            $solicitud->gradoacademicomaximo = revisarInputTexto($post['gradoacademico']);
            $solicitud->experienciaprofesional = revisarInputTexto($post['experienciaprofesional']);
            $solicitud->experienciadocente = revisarInputTexto($post['experienciadocente']);
            $solicitud->unidadacademica = revisarInputTexto($post['unidad']);

            if(isset($post['labora'])){
                $solicitud->laboradoucr = true;
            }else{
                $solicitud->laboradoucr = false;
            }       

            $solicitud->telefonos = revisarInputInt($post['telefono1'])."/".revisarInputInt($post['telefono2'])."/".revisarInputInt($post['telefono3']);
            $solicitud->nacimiento = revisarInputInt($post['anno']);

            $tmpName  = $_FILES['cedula']['tmp_name'];
            $size = $_FILES['cedula']['size'];

            if(getimagesize($tmpName) && $size < 2048000){
                $fp      = fopen($tmpName, 'r');
                $content = fread($fp, filesize($tmpName));
                $content = addslashes($content);
                fclose($fp);        
                $solicitud->fotoidentificacion = $content;
            }else{
                return false;
            }

            $solicitud->save();
        } catch (ErrorException $e) {               
            return false;
        }   
        return true;
    }

    function obtenerUnidades(){
        $unidades = new unidadacademica();
        $arreglo = $unidades->Find("1=1");
        return $arreglo;
    }

    function revisarInputTexto($datos){
        $datos = trim($datos);
        $datos = filter_var($datos, FILTER_SANITIZE_STRING);
        return $datos;
    }

    function revisarInputEmail($datos){
        $datos = trim($datos);
        $datos = filter_var($datos, FILTER_SANITIZE_EMAIL);
        return $datos;
    }

    function revisarInputInt($datos){
        $datos = trim($datos);
        $datos = filter_var($datos, FILTER_SANITIZE_NUMBER_INT);
        return $datos;
    }


    // Controlador
    if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['accion'])){
            if (insertar($_POST)){
                $smarty->display('visitas-exito.tpl');
            }
            else{
                $smarty->display('visitas-fallo.tpl');
            }   
    }else{
        $unidades = obtenerUnidades();
        $smarty->assign('unidades', $unidades);
        $smarty->display('visitas-formulario.tpl');
    }

The Form I'm using is pretty standard, I established the fields I wanted as required and that's pretty much it.

The "controller" does some checking and then calls the method "insertar", where I create the active record object to insert in the database after processing the post inputs.

Answer 1

If the method you're using to perform the actual database queries prevents SQL injection, then you don't need to sanitize the input. There's no harm in it, but it's redundant.