built in mysql functions

5 posts by 2 authors in: Forums > CMS Builder
Last Post: June 10, 2015   (RSS)

By ht1080z - June 9, 2015

Hi,

When i use the built in mysql functions (like mysql_update, mysql_insert), i should need escaping my posted data adding to array or the function is responsibly doing it already?

$colsToValues['firstname'] = $_REQUEST['firstname']; or $colsToValues['firstname'] = mysql_escape($_REQUEST['firstname']);

Please advise,
Karls

By ht1080z - June 10, 2015

Hi Claire,

Thanks for the quick reply.

In this case (like below, sample from the generated Membership profile page) i don't need to escape the values.

Is this general in PHP (no need for escaping values in array) or the built-in functions are ready with escaping?

$colsToValues = array();
$colsToValues['agree_tos']   = $_REQUEST['agree_tos'];
$colsToValues['fullname']      = $_REQUEST['fullname'];
$colsToValues['username']   = coalesce( @$_REQUEST['username'], $_REQUEST['email'] ); // email is saved as username if username code (not this line) is commented out
$colsToValues['email']            = $_REQUEST['email'];
$colsToValues['updatedByUserNum'] = $CURRENT_USER['num'];
$colsToValues['updatedDate=']     = 'NOW()';
mysql_update(accountsTable(), $CURRENT_USER['num'], null, $colsToValues);

Thank you in advance,
Karls

By claire - June 10, 2015

Hi Karls

This is not standard in PHP! Normally you'd want to escape every possible input, but the mysql functions built into CMSB handle escaping for arrays as a convenience.

--------------------

Claire Ryan
interactivetools.com

Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

By ht1080z - June 10, 2015

Thank you Claire!