MySQL Injection Prevention

Robust

Well-known member
So, I have a few files that uses XF's framework. They directly get data from the POST or GET globals. If running a MySQL query, are injections automatically prevented or do I need to use a prepared statement? If the latter, does XenForo have any practice that should be used for this?

Example:

$userId = $_GET['user'];
$query = $db->fetchRow(' SELECT * FROM xf_user WHERE user_id = ?, $userId);
 
Assuming you don't have access to $this->_input, you can always cast your variable as an integer since user_id should always be an integer. Using something like:

Code:
$userId = (int) $userId;
 
Assuming you don't have access to $this->_input, you can always cast your variable as an integer since user_id should always be an integer. Using something like:

Code:
$userId = (int) $userId;
That was just an example, using strings in the other script. Not sure if _input is available. It's just a basic init of XenForo. No styling on the page either. Returns json_encoded data.
 
If running a MySQL query, are injections automatically prevented or do I need to use a prepared statement?
Ignoring the parse error as I assume you just typed that, but your example is using a prepared statement to inject the variable content, thus is protected.
 
Top Bottom