Problem with mysqli_real_escape_string() on custom page

[JamesWC]

I'm using Custom Action Mod on SMF 2.0.7 to create new posts from user input on one of the mod's custom pages. I obviously want to escape the string containing the user input before inserting the message body into the forum database, so I'm trying to use PHP's mysqli_real_escape_string() function.

Koodi [Valitse] Laajenna

$escapedMsg = 'User input: ' . mysqli_real_escape_string($connection,$_POST['rawMsg']);

However this results in only the hardcoded phrase 'User input: ' being inserted.

I'm referencing $connection based on what I've seen in Sources/Subs-Db-mysql.php:

Koodi [Valitse] Laajenna

if (!empty($db_options['persist']))
$connection = @mysql_pconnect($db_server, $db_user, $db_passwd);
else
$connection = @mysql_connect($db_server, $db_user, $db_passwd);

To try and pinpoint the source of the problem, I have experimented with this test on my custom page:

Koodi [Valitse] Laajenna

if(is_resource($connection))
{
echo '<p>$connection is set</p>';
} else {
echo '<p>$connection is NOT set</p>';
}

It prints the second statement, suggesting to me that mysqli_real_escape_string is failing because it can't access $connection from my custom page, even though other variables such as $context['user']['id'] are accessible and I have added this line to the top of my code:

Koodi [Valitse] Laajenna

include_once('Sources/Subs-Db-mysql.php');

Can anyone please help me get mysqli_real_escape_string to run? I realize this issue may be specific to the mod but there's every chance I'm missing something more general, as my coding knowledge lays between beginner and intermediate at best. Is there an obvious solution jumping out at anyone reading this? Any pointers much appreciated!

[Arantor]

That's because SMF doesn't use MySQLi at all, but instead uses the older ext/mysql functions.

You might find life so much better if you actually used SMF's functions for inserting to the database than trying to roll your own, since they do escaping for you...

Can't really tell you what to do without seeing the rest of the code though.

[JamesWC]

Thanks. I'm using createPost() for the actual insertion, I'm just trying to provide it with $msgOptions['body'] as an escaped string per the instructions in the SMF Function DB.

So do I not actually need to escape the string after all, then?

[Arantor]

Escaping isn't just about preventing SQL injection but also preventing XSS.

You should first pass it through $smcFunc['htmlspecialchars'], then preparsecode() if there is any user driven content, then pass it to createPost.

[JamesWC]

I've removed:

Koodi [Valitse] Laajenna

$escapedMsg = 'User input: ' . mysqli_real_escape_string($connection,$_POST['rawMsg']);

...and tried replacing it with each of these:

Koodi [Valitse] Laajenna

$escapedMsg = 'User input: ' . preparsecode($smcFunc['htmlspecialchars']($_POST['rawMsg']));

Koodi [Valitse] Laajenna

$escapedMsg = 'User input: ' . preparsecode($_POST['rawMsg']);

Koodi [Valitse] Laajenna

$escapedMsg = 'User input: ' . $smcFunc['htmlspecialchars']($_POST['rawMsg']);

The first two result in only 'User input: ' being posted, while the third one posts the whole message. So preparsecode() isn't working for me.

[Arantor]

-sigh- I should know by now never to be even vaguely vague with people.

preparsecode does not operate the way you think it does, and I would have hoped you'd look at how preparsecode itself is called everywhere else in SMF to understand this.

Koodi [Valitse] Laajenna


$escapedMsg = 'User input: ' . $smcFunc['htmlspecialchars']($_POST['rawMsg']);
preparsecode($escapedMsg);


[JamesWC]

I'm sorry. Like I mentioned, my knowledge is limited, so I didn't even know variables could be modified without using "=" to assign them a new value. If I'd understood there were other possible ways, then I'd have checked which one to use.

Thanks for your help.

[butchs]

How come I can not find "preparsecode" in the SMF function list?

[Arantor]

It's in Subs-Post.php and yet again the site team failed to get the function database updated.

@JamesWC: If you have *any* doubt about how a function works, look at how SMF uses it. Every single instance of preparsecode is as I've outlined, because it doesn't return anything, it just modifies in place.