MyBB

AirborneFive · 01-04-2008, 04:42 AM

I know vBulletin has a way of "cleaning" data that is posted via a form (i.e. stripping it to nothing but text, or similar), though I've not yet seen how MyBB cleans the data upon browsing through the code.

Does MyBB have a class or function that cleans posted data automatically?

I need to run it through an entire form we're using for our customer backend and any help with this would be greatly appreciated.

Thanks,

Jonathan

MrD. · 01-04-2008, 05:34 AM

PHP Code:

$db->escape_string(); 

AirborneFive · 01-04-2008, 06:39 AM

Do you perhaps have an example of use?

Say if I had $_POST['username'], $_POST['password'] ect, how would I run that through and clean the variables?

MrD. · (This post was last modified: 01-04-2008 07:10 AM by MrD..)

PHP Code:

$username = $db->escape_string($_POST['username']);
$password = $db->escape_string($_POST['password']); 

You obviously need access to MyBB's $db variable for this to work. It doesn't strip it "just to text", but it does make it safe to be put in the database.

If you want just text, you can use in in conjunction with PHP's "strip_tags" function.

AirborneFive · 01-04-2008, 07:16 AM

One last question and I believe we should have it Smile

.

So if I have:

Code:

$user = array (

    "firstname" => $mybb->input["firstname"],

    "lastname" => $mybb->input["lastname"],

);

Would I simply surround the $mybb->input['xxx'] with the $db->escape_string, just as with the $_POST variables, or should I use $_POST instead?

MrD. · 01-04-2008, 07:35 AM

PHP Code:

$user = array (
    "firstname" => $db->escape_string($mybb->input["firstname"]),
    "lastname" => $db->escape_string($mybb->input["lastname"]),
); 

AirborneFive · 01-04-2008, 08:12 AM

Great, thank you very much, I appreciate the help!

Thanks again,

Jonathan

laie_techie · 01-04-2008, 05:31 PM

$db->escape_string only make the string safe for database insertion. You need to use htmlspecialchars or strip_tags when displaying string you don't want to be parsed as HTML.

Ryan Ashbrook · 01-09-2008, 05:17 PM

Also remember, that integers need to be passed through the intval() function upon database insertion.

This function ensures that the variable is indeed an integer, and will fail if the variable isn't an integer.

You can find a lot of good examples throughout the MyBB Code Base, and in the Wiki.

AirborneFive · 01-09-2008, 06:07 PM

Appreciate the information, Ryan Smile

.

We've got the basic form completed and it's working to standard and though we're not (yet) inserting integers into the database through the form, I will keep that in mind!

Thanks again everyone!