Advertisement:

Author Topic: Do I need to sanitize post strings before adding them to the database?  (Read 394 times)

Offline JoshuaD

  • Semi-Newbie
  • *
  • Posts: 24
Do I need to sanitize strings submitted by the user via the post interface? 

I am writing a custom bbc tag that takes data from the user and puts it into a custom table in the database.

It takes the format of:

[roll=Label]1d20+5[/roll]

Do I have to be worried about doing any sanitation on those strings before putting it into the database? I see that html characters are already handled, but I don't know enough about mysql attacks to be able to do any meaningful test on whether those are protected against here, or whether I am expected to do that protection myself.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 59,525
  • Gender: Male
    • Kindred-999 on GitHub
Re: Do I need to sanitize post strings before adding them to the database?
« Reply #1 on: January 21, 2020, 05:40:24 PM »
oh hell yes...  anything that you accept as input, especially to the database needs to be clean


I believe that the smf db functions may do most of it for you though (in other words, don't EVER write directly to the database, use the smf db functions)
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Offline JoshuaD

  • Semi-Newbie
  • *
  • Posts: 24
Re: Do I need to sanitize post strings before adding them to the database?
« Reply #2 on: January 21, 2020, 06:59:05 PM »
I'm using the function $smcFunc['db_insert'] to insert the data.  Should I be doing anything other than that?