• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Sanitization Helper?

RickM

Well-known member
#1
I'm doing a couple of custom mods that involve a user filling out a form field, which then goes into a database table.

I've looked through the files and have been unable to find any form of 'independant' sanitization class/helper - does one exist?

Cheers
 

bambua

Well-known member
#3
Think he's wondering if there's a zend or xenforo function built in to the framework to sanitize user input so they can't insert SQL...there of course the built in PHP functions if there isn't something in the framework.
 

RickM

Well-known member
#4
Yes - what bambua said. A standard sanitization class which contains a set of 'cleaning' functions which...well...clean user input.

I'm assuming there must be something in use, otherwise what would stop someone creating a thread that does an sql inject? :/
 
R

ragtek

Guest
#5
No, AFAIK there is no class/function for this (haven't seen anything in the code).


They make everything direct in the models.
For example
PHP:
$page = max(1, $this->_input->filterSingle('page', XenForo_Input::UINT));
        $postsPerPage = XenForo_Application::get('options')->messagesPerPage;

        $this->canonicalizeRequestUrl(
            XenForo_Link::buildPublicLink('threads', $thread, array('page' => $page))
        );

        $postFetchOptions = $postModel->getPermissionBasedPostFetchOptions($thread, $forum) + array(
            'perPage' => $postsPerPage,
            'page' => $page,
            'join' => XenForo_Model_Post::FETCH_USER | XenForo_Model_Post::FETCH_USER_PROFILE,
            'likeUserId' => $visitor['user_id']
        );
But as bambua said, ZF provides Zend_Paginator (http://framework.zend.com/manual/de/zend.paginator.html ), but i'm not sure if it's in the XenForo build


Edit:
Ups, it seems that i've misunderstood it
 

Mike

XenForo developer
Staff member
#6
Think he's wondering if there's a zend or xenforo function built in to the framework to sanitize user input so they can't insert SQL...there of course the built in PHP functions if there isn't something in the framework.
Aside from very minimal cases (eg, null characters), we basically don't manipulate input. We escape for the context that's appropriate. If you're using a query, you should be using prepared statements or the quote() method; for templates, you should be using {$name} unless you are sure it's already escaped; for JS in templates, there's {xen:jsescape}; etc.

Stripping out quotes, <, etc from input isn't the way to go.