1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sanitization Helper?

Discussion in 'XenForo Development Discussions' started by RickM, Oct 26, 2010.

  1. RickM

    RickM Well-Known Member

    I'm doing a couple of custom mods that involve a user filling out a form field, which then goes into a database table.

    I've looked through the files and have been unable to find any form of 'independant' sanitization class/helper - does one exist?

  2. Mike

    Mike XenForo Developer Staff Member

    Sanitizing in what way?
  3. bambua

    bambua Well-Known Member

    Think he's wondering if there's a zend or xenforo function built in to the framework to sanitize user input so they can't insert SQL...there of course the built in PHP functions if there isn't something in the framework.
  4. RickM

    RickM Well-Known Member

    Yes - what bambua said. A standard sanitization class which contains a set of 'cleaning' functions which...well...clean user input.

    I'm assuming there must be something in use, otherwise what would stop someone creating a thread that does an sql inject? :/
  5. ragtek

    ragtek Guest

    No, AFAIK there is no class/function for this (haven't seen anything in the code).

    They make everything direct in the models.
    For example
    $page max(1$this->_input->filterSingle('page'XenForo_Input::UINT));
    $postsPerPage XenForo_Application::get('options')->messagesPerPage;

    XenForo_Link::buildPublicLink('threads'$thread, array('page' => $page))

    $postFetchOptions $postModel->getPermissionBasedPostFetchOptions($thread$forum) + array(
    'perPage' => $postsPerPage,
    'page' => $page,
    'join' => XenForo_Model_Post::FETCH_USER XenForo_Model_Post::FETCH_USER_PROFILE,
    'likeUserId' => $visitor['user_id']
    But as bambua said, ZF provides Zend_Paginator (http://framework.zend.com/manual/de/zend.paginator.html ), but i'm not sure if it's in the XenForo build

    Ups, it seems that i've misunderstood it
  6. Mike

    Mike XenForo Developer Staff Member

    Aside from very minimal cases (eg, null characters), we basically don't manipulate input. We escape for the context that's appropriate. If you're using a query, you should be using prepared statements or the quote() method; for templates, you should be using {$name} unless you are sure it's already escaped; for JS in templates, there's {xen:jsescape}; etc.

    Stripping out quotes, <, etc from input isn't the way to go.

Share This Page