1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MySQL Injection Prevention

Discussion in 'XenForo Development Discussions' started by Robust, Jun 5, 2015.

  1. Robust

    Robust Well-Known Member

    So, I have a few files that uses XF's framework. They directly get data from the POST or GET globals. If running a MySQL query, are injections automatically prevented or do I need to use a prepared statement? If the latter, does XenForo have any practice that should be used for this?


    $userId = $_GET['user'];
    $query = $db->fetchRow(' SELECT * FROM xf_user WHERE user_id = ?, $userId);
  2. Jake B.

    Jake B. Well-Known Member

    Assuming you don't have access to $this->_input, you can always cast your variable as an integer since user_id should always be an integer. Using something like:

    $userId = (int) $userId;
  3. Robust

    Robust Well-Known Member

    That was just an example, using strings in the other script. Not sure if _input is available. It's just a basic init of XenForo. No styling on the page either. Returns json_encoded data.
  4. Mike

    Mike XenForo Developer Staff Member

    Ignoring the parse error as I assume you just typed that, but your example is using a prepared statement to inject the variable content, thus is protected.

Share This Page