1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SQL injection and "$usermodel->validateauthentication"

Discussion in 'XenForo Development Discussions' started by Markus, Dec 31, 2011.

  1. Markus

    Markus Member

    I’m writing third party software that will be using my xenforo forum as an authentication system. Can I call the $userid = $usermodel->validateauthentication($username, $password, $error); with a raw data given by the user without having to be afraid of any kind of SQL injection or other problems like that?

    I know xenforo itself is being protected by all kind of nasty stuff like this and I'm not wanting to create a new one for my board because of my flawed programming.
     
  2. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    XenForo sanitizes the input before calling that function. You can see an example in:

    XenForo_ControllerPublic_Login::actionLogin

    Code:
    		$data = $this->_input->filter(array(
    			'login' => XenForo_Input::STRING,
    			'password' => XenForo_Input::STRING,
    			'remember' => XenForo_Input::UINT,
    			'register' => XenForo_Input::UINT,
    			'redirect' => XenForo_Input::STRING,
    			'cookie_check' => XenForo_Input::UINT
    		));
    
    		...
    
    		$userId = $userModel->validateAuthentication($data['login'], $data['password'], $error);
    
    You should do the same. It is good policy to sanitize user input.
     
    Jeremy and Markus like this.
  3. Markus

    Markus Member

    Thank you for the reply, I will do that.
     

Share This Page