built in mysql functions
5 posts by 2 authors in: Forums > CMS Builder
Last Post: June 10, 2015 (RSS)
By ht1080z - June 9, 2015
Hi,
When i use the built in mysql functions (like mysql_update, mysql_insert), i should need escaping my posted data adding to array or the function is responsibly doing it already?
$colsToValues['firstname'] = $_REQUEST['firstname']; or $colsToValues['firstname'] = mysql_escape($_REQUEST['firstname']);
Please advise,
Karls
By claire - June 9, 2015
Hi Karls
If you're passing in an array, you shouldn't need to escape the data in the array. You should only need to escape if you're passing non-array variables, such as a string for a WHERE clause.
Claire Ryan
interactivetools.com
Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/
By ht1080z - June 10, 2015
Hi Claire,
Thanks for the quick reply.
In this case (like below, sample from the generated Membership profile page) i don't need to escape the values.
Is this general in PHP (no need for escaping values in array) or the built-in functions are ready with escaping?
$colsToValues = array();
$colsToValues['agree_tos'] = $_REQUEST['agree_tos'];
$colsToValues['fullname'] = $_REQUEST['fullname'];
$colsToValues['username'] = coalesce( @$_REQUEST['username'], $_REQUEST['email'] ); // email is saved as username if username code (not this line) is commented out
$colsToValues['email'] = $_REQUEST['email'];
$colsToValues['updatedByUserNum'] = $CURRENT_USER['num'];
$colsToValues['updatedDate='] = 'NOW()';
mysql_update(accountsTable(), $CURRENT_USER['num'], null, $colsToValues);
Thank you in advance,
Karls
By claire - June 10, 2015
Hi Karls
This is not standard in PHP! Normally you'd want to escape every possible input, but the mysql functions built into CMSB handle escaping for arrays as a convenience.
Claire Ryan
interactivetools.com
Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/