• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

SQL injection and "$usermodel->validateauthentication"

#1
I’m writing third party software that will be using my xenforo forum as an authentication system. Can I call the $userid = $usermodel->validateauthentication($username, $password, $error); with a raw data given by the user without having to be afraid of any kind of SQL injection or other problems like that?

I know xenforo itself is being protected by all kind of nasty stuff like this and I'm not wanting to create a new one for my board because of my flawed programming.
 

Jake Bunce

XenForo moderator
Staff member
#2
XenForo sanitizes the input before calling that function. You can see an example in:

XenForo_ControllerPublic_Login::actionLogin

Code:
		$data = $this->_input->filter(array(
			'login' => XenForo_Input::STRING,
			'password' => XenForo_Input::STRING,
			'remember' => XenForo_Input::UINT,
			'register' => XenForo_Input::UINT,
			'redirect' => XenForo_Input::STRING,
			'cookie_check' => XenForo_Input::UINT
		));

		...

		$userId = $userModel->validateAuthentication($data['login'], $data['password'], $error);
You should do the same. It is good policy to sanitize user input.
 
#3
XenForo sanitizes the input before calling that function. You can see an example in:

XenForo_ControllerPublic_Login::actionLogin

Code:
$data = $this->_input->filter(array(
'login' => XenForo_Input::STRING,
'password' => XenForo_Input::STRING,
'remember' => XenForo_Input::UINT,
'register' => XenForo_Input::UINT,
'redirect' => XenForo_Input::STRING,
'cookie_check' => XenForo_Input::UINT
));
 
...
 
$userId = $userModel->validateAuthentication($data['login'], $data['password'], $error);
You should do the same. It is good policy to sanitize user input.
Thank you for the reply, I will do that.