Forums

Cleaning $_POST / form variables

Permalink
Hi,
I've been writing a few external forms and single-page forms which create certain pages, add content blocks and write certain attributes to users/pages etc.

All of this is done via proper methods as set in the API.

For the moment, I've added nothing in terms of making safe my $_POST variables for DB entry - ie - preventing injection and such.

Is this done automatically at some higher level in C5, or do I have to add my own helpers to do this?

Just to reiterate, I'm NOT just connecting directly to the DB and running SQL commands...

Thanks.
moth
 
jgarcia replied on at Permalink Reply
jgarcia
as long as you are using loader::db() and executing queries using that (and passing variables to accordingly), you should be totally fine. Here's an example of the proper way to execute a query, for instance:
$row = $db->getRow("SELECT * FROM myTable WHERE id=? AND cID=?", array($id,$cID));


Of course you can also use $db->getAll and $db->execute...there may be others but those are really the only ones I use.
moth replied on at Permalink Reply
moth
Thanks. So what about doing something like this?

$newPage->setAttribute('client', $_POST['client']);


Is that made safe?