Concrete 5 → Sanitizing your MySQL statements with c5's built-in sanitation methods


As I was slaving away in this catastrophe of a framework, I came across a bit of information that might serve useful to the general public.

The Issue

I was inserting a row into my database with the following code:

$entry[‘text’] = addslashes($value);
$db->query(“INSERT INTO btMarquee(bID,entryData,duration,animationType) VALUES(‘$block_id’,’$entry_data’,’$duration’,’$animationType’)”);

Now the problem with this is that when using the Loader::db() from C5, it automatically tries to sanitize your input(which they don’t tell you, because Concrete’s documentation is horrible; especially on the lower level methods.

So if you want to use the C5 Database loader, you will have to adjust your inputs to something like this

$db = Loader::db();
$db->query(“INSERT INTO table_name (field1,field2,etc) VALUES(?,?,etc)"), array(‘value for field 1 here’, ‘value for field 2 here’);

The $db->query() method in C5 takes 2 arguments, the first is the SQL statement with placeholder variables aka the questions marks (?). The second is the values for those question marks that are inside of a array. The positions of the values in the array of the second parameter corresponds to the positions of the questions marks in the first parameter. The first values corresponds to the first question mark, the second for the second, and so forth.

If you write your code like this, C5 will automatically escape and sanitize your user inputs into the database. This is actually one of the better ideas that C5 came up with, however like true C5 fashion, they don’t provide any docs on it, just some forum crap you have to search through. :-\ .

Hope this helps you out.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.