Sanitization Helper?

[RickM]

I'm doing a couple of custom mods that involve a user filling out a form field, which then goes into a database table.

I've looked through the files and have been unable to find any form of 'independant' sanitization class/helper - does one exist?

Cheers

 

[Mike]

Sanitizing in what way?

 

[bambua]

Think he's wondering if there's a zend or xenforo function built in to the framework to sanitize user input so they can't insert SQL...there of course the built in PHP functions if there isn't something in the framework.

 

[RickM]

Yes - what bambua said. A standard sanitization class which contains a set of 'cleaning' functions which...well...clean user input.

I'm assuming there must be something in use, otherwise what would stop someone creating a thread that does an sql inject? :/

 

[ragtek]

No, AFAIK there is no class/function for this (haven't seen anything in the code).


They make everything direct in the models.
For example

$page = max(1, $this->_input->filterSingle('page', XenForo_Input::UINT));
        $postsPerPage = XenForo_Application::get('options')->messagesPerPage;

        $this->canonicalizeRequestUrl(
            XenForo_Link::buildPublicLink('threads', $thread, array('page' => $page))
        );

        $postFetchOptions = $postModel->getPermissionBasedPostFetchOptions($thread, $forum) + array(
            'perPage' => $postsPerPage,
            'page' => $page,
            'join' => XenForo_Model_Post::FETCH_USER | XenForo_Model_Post::FETCH_USER_PROFILE,
            'likeUserId' => $visitor['user_id']
        );

But as bambua said, ZF provides Zend_Paginator (http://framework.zend.com/manual/de/zend.paginator.html ), but i'm not sure if it's in the XenForo build


Edit:
Ups, it seems that i've misunderstood it

 

[Mike]

Think he's wondering if there's a zend or xenforo function built in to the framework to sanitize user input so they can't insert SQL...there of course the built in PHP functions if there isn't something in the framework.

Aside from very minimal cases (eg, null characters), we basically don't manipulate input. We escape for the context that's appropriate. If you're using a query, you should be using prepared statements or the quote() method; for templates, you should be using {$name} unless you are sure it's already escaped; for JS in templates, there's {xen:jsescape}; etc.

Stripping out quotes, <, etc from input isn't the way to go.