News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Simple db_query question

Started by duongduythao, April 24, 2018, 09:20:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

duongduythao

April 24, 2018, 09:20:27 AM
Hi
I have simple security question:
strings used in $smcFunc['db_query'] need to be escaped?
or the function do this?

Suki

#1
April 24, 2018, 02:04:10 PM
This is a simple example of a query using $smcFunc:

Code Select

$result = $smcFunc['db_query']('', '
SELECT poster_time
FROM {db_prefix}messages
WHERE id_msg = {int:id_msg}
LIMIT 1',
array(
'id_msg' => $user_settings['id_msg_last_visit'],
)
);

note the {int:id_msg}  which is SMF's own way to parametize your queries

theres a few types you can use, can't remember all of them but heres a list:

int
raw
float
array_int
array_string
string

SMF will do the escape for you.
Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.
Print
Go Up Pages1
User actions
Advertisement: