MyBB Community Forums

Yes that should work.

I just want to confirm, still, haha, if THIS is the correct way? Or it needs to be done differently?

Cheers.

Yes, that's the correct way to escape the data.

Thanks Nathan.

Btw, so using that way, the inputted data, as in POST data could not be changed or altered? What about tamper data and such? If not, I believe they only can change the information submitted in previous stage (when they filled the form) but cannot exploit the db, is it?

Of course they could change the data. As they input the data in the first place it doesn't matter what they input as long as you escape it.

Escaping the data, removes all special characters.

If a user inputs this:

/\this/\

The escaped input is:

this

Simples lol

^ You generally don't want to be doing that, unless those characters are strictly unnecessary.
And no, escaping doesn't remove special characters.

(2012-05-25, 10:58 PM)Yumi Wrote: [ -> ]^ You generally don't want to be doing that, unless those characters are strictly unnecessary.
And no, escaping doesn't remove special characters.

I'm talking about "escape_string" not escaping in templates.

(2012-05-25, 01:01 PM)Frank.Barry Wrote: [ -> ]Escaping the data, removes all special characters.

If a user inputs this:

/\this/\

The escaped input is:

this

Simples lol

If that was the case that example wouldn't render as you expected. I think you're thinking of htmlspecialchars() which converts chars such as <, >, and & in to their entity values.

Yes I am, sorry lol slap me quick lol