Login | Sign up | Toll-Free: 1-800-752-0455
 
 

Forum

 

5 posts by 2 authors in: Forums > CMS Builder
Last Post: June 10, 2015

Hi Karls

If you're passing in an array, you shouldn't need to escape the data in the array. You should only need to escape if you're passing non-array variables, such as a string for a WHERE clause.

--------------------

Claire Ryan
interactivetools.com

Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Hi Claire,

Thanks for the quick reply.

In this case (like below, sample from the generated Membership profile page) i don't need to escape the values.

Is this general in PHP (no need for escaping values in array) or the built-in functions are ready with escaping?

$colsToValues = array();
$colsToValues['agree_tos']   = $_REQUEST['agree_tos'];
$colsToValues['fullname']      = $_REQUEST['fullname'];
$colsToValues['username']   = coalesce( @$_REQUEST['username'], $_REQUEST['email'] ); // email is saved as username if username code (not this line) is commented out
$colsToValues['email']            = $_REQUEST['email'];
$colsToValues['updatedByUserNum'] = $CURRENT_USER['num'];
$colsToValues['updatedDate=']     = 'NOW()';
mysql_update(accountsTable(), $CURRENT_USER['num'], null, $colsToValues);

Thank you in advance,
Karls

Hi Karls

This is not standard in PHP! Normally you'd want to escape every possible input, but the mysql functions built into CMSB handle escaping for arrays as a convenience.

--------------------

Claire Ryan
interactivetools.com

Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Thank you Claire!