How does MyBB Clean Posted Variables?
#1
I know vBulletin has a way of "cleaning" data that is posted via a form (i.e. stripping it to nothing but text, or similar), though I've not yet seen how MyBB cleans the data upon browsing through the code.

Does MyBB have a class or function that cleans posted data automatically?

I need to run it through an entire form we're using for our customer backend and any help with this would be greatly appreciated.


Thanks,

Jonathan
- Jon T. & Kim B.
- AirborneFive Co-Owner's
- Optimized Web Hosting Solutions | Starting @ Only $2/mo
- First Month of Service Free! | Coupon: FIRSTMONTHFREE
Reply
#2
PHP Code:
$db->escape_string(); 
[Image: sig.php]
The little boat gently drifted across the pond exactly the way a bowling ball wouldn't.
Reply
#3
Do you perhaps have an example of use?

Say if I had $_POST['username'], $_POST['password'] ect, how would I run that through and clean the variables?
- Jon T. & Kim B.
- AirborneFive Co-Owner's
- Optimized Web Hosting Solutions | Starting @ Only $2/mo
- First Month of Service Free! | Coupon: FIRSTMONTHFREE
Reply
#4
PHP Code:
$username $db->escape_string($_POST['username']);
$password $db->escape_string($_POST['password']); 

You obviously need access to MyBB's $db variable for this to work. It doesn't strip it "just to text", but it does make it safe to be put in the database.

If you want just text, you can use in in conjunction with PHP's "strip_tags" function.
[Image: sig.php]
The little boat gently drifted across the pond exactly the way a bowling ball wouldn't.
Reply
#5
One last question and I believe we should have it Smile.

So if I have:

Code:
$user = array (
    "firstname" => $mybb->input["firstname"],
    "lastname" => $mybb->input["lastname"],
);

Would I simply surround the $mybb->input['xxx'] with the $db->escape_string, just as with the $_POST variables, or should I use $_POST instead?
- Jon T. & Kim B.
- AirborneFive Co-Owner's
- Optimized Web Hosting Solutions | Starting @ Only $2/mo
- First Month of Service Free! | Coupon: FIRSTMONTHFREE
Reply
#6
PHP Code:
$user = array (
    
"firstname" => $db->escape_string($mybb->input["firstname"]),
    
"lastname" => $db->escape_string($mybb->input["lastname"]),
); 
[Image: sig.php]
The little boat gently drifted across the pond exactly the way a bowling ball wouldn't.
Reply
#7
Great, thank you very much, I appreciate the help!


Thanks again,

Jonathan
- Jon T. & Kim B.
- AirborneFive Co-Owner's
- Optimized Web Hosting Solutions | Starting @ Only $2/mo
- First Month of Service Free! | Coupon: FIRSTMONTHFREE
Reply
#8
$db->escape_string only make the string safe for database insertion. You need to use htmlspecialchars or strip_tags when displaying string you don't want to be parsed as HTML.
Reply
#9
Also remember, that integers need to be passed through the intval() function upon database insertion.

This function ensures that the variable is indeed an integer, and will fail if the variable isn't an integer.

You can find a lot of good examples throughout the MyBB Code Base, and in the Wiki.
ryanashbrook.co - My Blog - @ryanashbrook
Do NOT PM me for Support!
Reply
#10
Appreciate the information, Ryan Smile.

We've got the basic form completed and it's working to standard and though we're not (yet) inserting integers into the database through the form, I will keep that in mind!


Thanks again everyone!
- Jon T. & Kim B.
- AirborneFive Co-Owner's
- Optimized Web Hosting Solutions | Starting @ Only $2/mo
- First Month of Service Free! | Coupon: FIRSTMONTHFREE
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)