built in mysql functions

5 posts by 2 authors in: Forums > CMS Builder
Last Post: June 10, 2015   (RSS)

By ht1080z - June 9, 2015

Hi,

When i use the built in mysql functions (like mysql_update, mysql_insert), i should need escaping my posted data adding to array or the function is responsibly doing it already?

$colsToValues['firstname'] = $_REQUEST['firstname']; or $colsToValues['firstname'] = mysql_escape($_REQUEST['firstname']);

Please advise,
Karls

By claire - June 9, 2015

Hi Karls

If you're passing in an array, you shouldn't need to escape the data in the array. You should only need to escape if you're passing non-array variables, such as a string for a WHERE clause.

--------------------

Claire Ryan
interactivetools.com

Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

By claire - June 10, 2015

Hi Karls

This is not standard in PHP! Normally you'd want to escape every possible input, but the mysql functions built into CMSB handle escaping for arrays as a convenience.

--------------------

Claire Ryan
interactivetools.com

Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

By ht1080z - June 10, 2015

Thank you Claire!