Sign up |
If you're passing in an array, you shouldn't need to escape the data in the array. You should only need to escape if you're passing non-array variables, such as a string for a WHERE clause.
Thanks for the quick reply.
In this case (like below, sample from the generated Membership profile page) i don't need to escape the values.
Is this general in PHP (no need for escaping values in array) or the built-in functions are ready with escaping?
$colsToValues = array();
$colsToValues['agree_tos'] = $_REQUEST['agree_tos'];
$colsToValues['fullname'] = $_REQUEST['fullname'];
$colsToValues['username'] = coalesce( @$_REQUEST['username'], $_REQUEST['email'] ); // email is saved as username if username code (not this line) is commented out
$colsToValues['email'] = $_REQUEST['email'];
$colsToValues['updatedByUserNum'] = $CURRENT_USER['num'];
$colsToValues['updatedDate='] = 'NOW()';
mysql_update(accountsTable(), $CURRENT_USER['num'], null, $colsToValues);
Thank you in advance,
This is not standard in PHP! Normally you'd want to escape every possible input, but the mysql functions built into CMSB handle escaping for arrays as a convenience.