built in mysql functions

5 posts by 2 authors in: Forums > CMS Builder
Last Post: June 10, 2015   (RSS)

By ht1080z - June 9, 2015

Hi,

When i use the built in mysql functions (like mysql_update, mysql_insert), i should need escaping my posted data adding to array or the function is responsibly doing it already?

$colsToValues['firstname'] = $_REQUEST['firstname']; or $colsToValues['firstname'] = mysql_escape($_REQUEST['firstname']);

Please advise,
Karls

By claire - June 9, 2015

Hi Karls

If you're passing in an array, you shouldn't need to escape the data in the array. You should only need to escape if you're passing non-array variables, such as a string for a WHERE clause.

--------------------

Claire Ryan
interactivetools.com

Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

By ht1080z - June 10, 2015

Hi Claire,

Thanks for the quick reply.

In this case (like below, sample from the generated Membership profile page) i don't need to escape the values.

Is this general in PHP (no need for escaping values in array) or the built-in functions are ready with escaping?

$colsToValues = array();
$colsToValues['agree_tos']   = $_REQUEST['agree_tos'];
$colsToValues['fullname']      = $_REQUEST['fullname'];
$colsToValues['username']   = coalesce( @$_REQUEST['username'], $_REQUEST['email'] ); // email is saved as username if username code (not this line) is commented out
$colsToValues['email']            = $_REQUEST['email'];
$colsToValues['updatedByUserNum'] = $CURRENT_USER['num'];
$colsToValues['updatedDate=']     = 'NOW()';
mysql_update(accountsTable(), $CURRENT_USER['num'], null, $colsToValues);

Thank you in advance,
Karls

By ht1080z - June 10, 2015

Thank you Claire!