Text only | Text with Images

Simple Machines Community Forum

Customizing SMF => SMF Coding Discussion => Topic started by: Christopher R. on August 11, 2011, 07:05:33 PM

Title: Database Insert
Post by: Christopher R. on August 11, 2011, 07:05:33 PM
Hi all,

I'm working on custom page where I'm adding content to a database from user based input and I was wondering how to properly escape the input and insert the data into the database. Could anyone show me an easy to understand example?
Title: Re: Database Insert
Post by: All Colours Sam on August 11, 2011, 07:41:05 PM
Really depends on what SMF version are you using.

for 2.0 you can use $smc  to sanitize your data:

Code Select

global $smcFunc;

$toclean = $smcFunc['htmlspecialchars']($toclean, ENT_QUOTES);
$toclean = $smcFunc['htmltrim']($toclean, ENT_QUOTES);


if your using 1.1.x then you can use the normal php functions trim(); and htmlspecialchars();
Title: Re: Database Insert
Post by: Christopher R. on August 11, 2011, 07:47:06 PM
Oh, that's right.. I forgot to mention what version I'm running. I'm using version 2.0. With $smcFunc['htmlspecialchars'] can I pass in an array of content to sanitize?
Title: Re: Database Insert
Post by: All Colours Sam on August 11, 2011, 08:18:00 PM
if you want to clean up every entry in the array use a foreach() as far as I know $smcFunc['htmlspecialchars']  does only do strings
Title: Re: Database Insert
Post by: Christopher R. on August 11, 2011, 08:47:06 PM
Quote from: Miss All Sunday on August 11, 2011, 08:18:00 PM
if you want to clean up every entry in the array use a foreach() as far as I know $smcFunc['htmlspecialchars']  does only do strings

Thanks! Now, I just need to figure out how to insert into the database properly. I'm using a lot of different data-types too.. strings, int, bool etc.. etc.. so would be nice to see how these would be inserted into the database, because I'm completely lost on how to do it. I can't understand the example here: http://www.simplemachines.org/community/index.php?topic=224166.0#post_db_insert

Could someone rewrite that example with more real-world content with maybe what I have so I can learn from example?
Title: Re: Database Insert
Post by: All Colours Sam on August 11, 2011, 08:55:31 PM
a simple way to insert an int for example will be:


Code Select
<?php

 global  $smcFunc;

 // Check the $_POST variable
 if (empty($_POST['something']))
 fatal_lang_error('no_post', false);

 // Cleaning
$something = $smcFunc['htmlspecialchars']($_POST['something'], ENT_QUOTES);

 // Lets do the insert
 $smcFunc['db_insert']('replace',
           '{db_prefix}some_table',
           array(
               'something' => 'int' // Since its a int, lets declare int here
           ),
           array(
               $something  // the value we are gonna insert
           ),
           array('something') //  the keys, this is just for sqlite and such
       );



thats about it,  this will insert an int ($something)  into the table: some_table,  for a string you use

array(
                'something' => 'string'
Title: Re: Database Insert
Post by: Stumpy on August 15, 2011, 12:05:44 PM
What field will it insert it into?
Title: Re: Database Insert
Post by: IchBin™ on August 16, 2011, 11:56:40 AM
In her example, $something is what is getting inserted into the database.
Text only | Text with Images