News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Do I need to sanitize post strings before adding them to the database?

Started by JoshuaD, January 21, 2020, 03:24:36 AM

Previous topic - Next topic

JoshuaD

Do I need to sanitize strings submitted by the user via the post interface? 

I am writing a custom bbc tag that takes data from the user and puts it into a custom table in the database.

It takes the format of:

[roll=Label]1d20+5[/roll]

Do I have to be worried about doing any sanitation on those strings before putting it into the database? I see that html characters are already handled, but I don't know enough about mysql attacks to be able to do any meaningful test on whether those are protected against here, or whether I am expected to do that protection myself.

Kindred

oh hell yes...  anything that you accept as input, especially to the database needs to be clean


I believe that the smf db functions may do most of it for you though (in other words, don't EVER write directly to the database, use the smf db functions)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

JoshuaD

I'm using the function $smcFunc['db_insert'] to insert the data.  Should I be doing anything other than that?

Advertisement: