Blog Documentation Book a Demo
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

mysql_real_escape_string?

LincLinc Admin
edited September 2009 in Vanilla 2.0 - 2.8
If I need to sanitize data before using $Database->Query is there a method for that? I'm looking for a mysql_real_escape_string replacement in Garden and am not finding it.

Comments

  • MarkMark Vanilla Staff
    Data sanitization should be handled by Garden natively.
  • MarkMark Vanilla Staff
    Oh, do you mean that you're composing your own sql and calling Query directly with your string? If so:

    1. Is there a reason why you were forced to do it that way?

    2. I guess we need to make a convenience method for sanitizing strings...
  • LincLinc Admin
    edited October 2009
    1. Yeah, importing from vBulletin! :D

    For some of the queries I can't grab and insert in the same query; I have to do a little data manipulation with PHP, and what's currently stored in the database isn't safe for an unsanitized data insert. I currently added "addslashes" to a bunch of the queries as a work-around, but as I understand that isn't really foolproof like mysql_real_escape_string.
  • MarkMark Vanilla Staff
    I'm going to drop @Todd an email about this one - he wrote most of the data layer.
  • ToddTodd Vanilla Staff
    I'm not sure what method is called, but can you try Gdn::Database()->Connection()->quote(string).

    The Connection method returns a pdo which has the quote method.
Sign In or Register to comment.