addslashes() equivalent for securing custom database queries

Previous topic

Developer

Next topic

Author	Message
Piotrek Karaś	Thursday 13 December 2007 1:09:47 am Ello, What would be the best way of securing custom database queries in custom classes? I have searched the entire installation for 'addslashes' string, but it's only been used once and not exactly in a context that could serve as a tool. Is there any recommended/core supported function or method for escaping any potentially dangerous characters, or is it dealt with on datatype-to-datatype basis? Thanks, Piotrek -- Company: mediaSELF Sp. z o.o., http://www.mediaself.pl eZ references: http://ez.no/partners/worldwide_partners/mediaself eZ certified developer: http://ez.no/certification/verify/272585 eZ blog: http://ez.ryba.eu
Łukasz Serwatka	Thursday 13 December 2007 1:46:16 am Hi Piotrek, You can use escapeString() ezdbinterface.php /! \pure Will escape a string so it's ready to be inserted in the database. / function escapeString( $str ) { return $str; } Re-implemented in ezmysqldb.php $db = eZDB::instance(); $db->escapeString( $str ); When you are using eZPresistentObject for storing content it will handle it automatically. Personal website -> http://serwatka.net Blog (about eZ Publish) -> http://serwatka.net/blog
Piotrek Karaś	Thursday 13 December 2007 3:35:18 am Łukasz, This is exactly it! Sometimes it's difficult to locate some wrappers, especially if you don't know if they exist, but I'm getting an impression that there will be one for anything in eZ ;) Thanks! -- Company: mediaSELF Sp. z o.o., http://www.mediaself.pl eZ references: http://ez.no/partners/worldwide_partners/mediaself eZ certified developer: http://ez.no/certification/verify/272585 eZ blog: http://ez.ryba.eu

Author

Message

Piotrek Karaś

Thursday 13 December 2007 1:09:47 am

Ello,

What would be the best way of securing custom database queries in custom classes? I have searched the entire installation for 'addslashes' string, but it's only been used once and not exactly in a context that could serve as a tool. Is there any recommended/core supported function or method for escaping any potentially dangerous characters, or is it dealt with on datatype-to-datatype basis?

Thanks,
Piotrek

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

Łukasz Serwatka

Thursday 13 December 2007 1:46:16 am

Hi Piotrek,

You can use escapeString() ezdbinterface.php

    /*!
      \pure
      Will escape a string so it's ready to be inserted in the database.
    */
    function escapeString( $str )
    {
        return $str;
    }

Re-implemented in ezmysqldb.php

$db = eZDB::instance();
$db->escapeString( $str );

When you are using eZPresistentObject for storing content it will handle it automatically.

Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog

Piotrek Karaś

Thursday 13 December 2007 3:35:18 am

Łukasz,

This is exactly it!
Sometimes it's difficult to locate some wrappers, especially if you don't know if they exist, but I'm getting an impression that there will be one for anything in eZ ;)

Thanks!