1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to insert POST data into MySQL via Form through Xenforo with SQL Injection Prevention

Discussion in 'XenForo Development Discussions' started by calnet, Oct 3, 2015.

  1. calnet

    calnet New Member

    Hey Everyone,

    I'm new to Xenforo after moving away from phpBB and love it!
    However, I am just transferring over my customized pages across and struggling to find an answer to this question. I have searched everywhere high and low for an example but to no avail cant find a solution which I hope one of you will help. (This may sound like a dumb question as it's probably something easy to do)

    The question is:
    How to insert POST data into MySQL via Form through Xenforo with SQL Injection Prevention

    For example, I have created a seperate table for the user data (e.g xf_mytablename) and have created a form on Xenforo, once a user hits the submit button, it gets posted to the next page. On the next page I have the users data, and insert it like this:

    $usersdata $_POST["usersdata"];

    $db XenForo_Application::get('db');

    $db->query("INSERT INTO xf_mytablename (user_id,userdata)
                   VALUES ('
    The question is, what is the proper way of doing this?
    This works but is susceptible to SQL injection attacks..etc
    I've been pondering for hours trying numerous prepared statements, mysqli real escapes and it just refuses to work.

    Kind Regards,
  2. Mike

    Mike XenForo Developer Staff Member

    The database adapter already supports prepared statements. It's probably easiest to look at any of the model classes. They'll show you a few examples using it.
  3. calnet

    calnet New Member

    Hey Mike,

    Thanks for your reply, would you be able to point me in the direction of the path or location where I can find these model classes?
    Like I mentioned, I am new to Xenforo completely and even a sample snippet code of a prepared statement in xenforo would help greatly.

    I tried using one of the web like:
    // prepare and bind
    $stmt $db->prepare("INSERT INTO xf_mytablename (user_id, description) VALUES (userid, ?)");

    // set parameters and execute

    "New records created successfully";
    Instead, I just get:
    Fatal Error: Call to undefined method Zend_Db_Statement_Mysqli::bind_param()

    Kind Regards,
  4. Daniel Hood

    Daniel Hood Well-Known Member

    $stmt $db->prepare("INSERT INTO xf_mytablename (user_id, description) VALUES (userid, ?)");
    Would be
    $stmt $db->query("INSERT INTO xf_mytablename (user_id, description) VALUES (userid, ?)", array($userdata));
    What he meant by look at the model classes was to look in /library/XenForo/Model/ at all the php files to see how queries are executed.

    Also, you could use the insert function rather than the query function. Look at Zend Framework v1's documentation for the database layers.
  5. calnet

    calnet New Member

    Bingo :) It worked a treat :) Thanks for your help @Daniel Hood and @Mike, Much Appreciated

    Kind Regards,

Share This Page