How to insert POST data into MySQL via Form through Xenforo with SQL Injection Prevention

C

calnet

Member
Hey Everyone,

I'm new to Xenforo after moving away from phpBB and love it!
However, I am just transferring over my customized pages across and struggling to find an answer to this question. I have searched everywhere high and low for an example but to no avail cant find a solution which I hope one of you will help. (This may sound like a dumb question as it's probably something easy to do)

The question is:
How to insert POST data into MySQL via Form through Xenforo with SQL Injection Prevention

For example, I have created a seperate table for the user data (e.g xf_mytablename) and have created a form on Xenforo, once a user hits the submit button, it gets posted to the next page. On the next page I have the users data, and insert it like this:

PHP: 
$usersdata = $_POST["usersdata"];

$db = XenForo_Application::get('db');

$db->query("INSERT INTO xf_mytablename (user_id,userdata)
               VALUES ('$userid','$usersdata');");

The question is, what is the proper way of doing this?
This works but is susceptible to SQL injection attacks..etc
I've been pondering for hours trying numerous prepared statements, mysqli real escapes and it just refuses to work.

Kind Regards,
 
The database adapter already supports prepared statements. It's probably easiest to look at any of the model classes. They'll show you a few examples using it.
 
Hey Mike,

Thanks for your reply, would you be able to point me in the direction of the path or location where I can find these model classes?
Like I mentioned, I am new to Xenforo completely and even a sample snippet code of a prepared statement in xenforo would help greatly.

I tried using one of the web like:
PHP: 
// prepare and bind
$stmt = $db->prepare("INSERT INTO xf_mytablename (user_id, description) VALUES (userid, ?)");
$stmt->bind_param("s", $userdata);

// set parameters and execute

$userdata= "Julie";
$stmt->execute();
echo "New records created successfully";

Instead, I just get:
Fatal Error: Call to undefined method Zend_Db_Statement_Mysqli::bind_param()

Kind Regards,
 
PHP: 
$stmt = $db->prepare("INSERT INTO xf_mytablename (user_id, description) VALUES (userid, ?)");
$stmt->bind_param("s", $userdata);
Would be
PHP: 
$stmt = $db->query("INSERT INTO xf_mytablename (user_id, description) VALUES (userid, ?)", array($userdata));

What he meant by look at the model classes was to look in /library/XenForo/Model/ at all the php files to see how queries are executed.

Also, you could use the insert function rather than the query function. Look at Zend Framework v1's documentation for the database layers.
 
You must log in or register to reply here.

Similar threads

B
XF 2.2 $finder sql injection question
Replies
2
Views
484
briansol
B
H7ML
  • Locked
  • Question Question
SQL Injection Protection
Replies
1
Views
1K
Paul B
P
Bonsai Coder
  • Question Question
XF 2.2 SQL Injection Warnings
Replies
14
Views
2K
bzcomputers
bzcomputers
NandorHUN
  • Question Question
XF 2.2 What's the best way to manage two user groups in a forum? (Multiple solutions: which one is the best? )
Replies
7
Views
894
NandorHUN
NandorHUN
Brad Padgett
  • Question Question
How Safe Are you From SQL Injection Without Mod Security on Xenforo 2?
Replies
15
Views
3K
bevans84
B
Back
Top Bottom