We use cookies to improve your experience. No personal information is gathered and we don't serve ads. Cookies Policy.

ExpressionEngine
Log In Sign Up

Module development clarification

Development and Programming

Peter Lewis's avatar
Peter Lewis
280 posts
16 years ago
Peter Lewis's avatar Peter Lewis

I’m trying to ensure I add all the recommended security precautions into my code, but don’t want to add pointless checks. The EE documentation is a little fuzzy on the overlap of what certain functions do and don’t do. Could you clarify the follow please…

  1. Using $IN->GBL does XXS cleaning ($REGX->xss_clean) for GETs not POSTs (as documented), but does it also clean the data (I assume so) and prevent SQL Injection ($DB->escape_str)?

  2. Does $IN->clean_input_data() also escape it ($DB->escape_str) or do you have to do that seperately?

  3. Does $TMPL->fetch_param do any cleaning or escaping?

Thanks,

Peter

       
Greg Aker's avatar
Greg Aker
6,022 posts
16 years ago
Greg Aker's avatar Greg Aker

Peter,

You should always escape user input on a query, so yes, use $DB->escape_str

$TMPL->fetch_param is just grabbing the parameter:

function fetch_param($which)
    {
        return ( ! isset($this->tagparams[$which])) ? FALSE : $this->tagparams[$which];
    }

So escape that before you put it into the db.

       

Reply

Sign In To Reply

ExpressionEngine Home Features Pro Contact Version Support
Learn Docs University Forums
Resources Support Add-Ons Partners Blog
Privacy Terms Trademark Use License

Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.