(2013-07-03, 11:41 AM)frostschutz Wrote: [ -> ]No. If you use $db->escape_string($_POST['myinput']), it inserts $_POST['myinput'] unmodified.
It's only needed for the query itself, it does not change the data to be inserted.
When you query it, you get the original $_POST['myinput'] back too.
Ok cool, should I be escaping stuff like:
$db->escape_string(time());
$db->escape_string($mybb->user['username']);
$db->escape_string($mybb->user['uid']);
Even though these are not user inputs, but would it be extra security to do so anyway ?
Yes, well. There could be boards that have users with ' in their names, so you should escape the username, yes. For numbers, you could cast to (int) / intval() instead to make sure it's really a number and not something else. In a modern software everything would be escaped automatically by use of prepared statements, in MyBB you have to do it manually...
(2013-07-03, 11:58 AM)frostschutz Wrote: [ -> ]Yes, well. There could be boards that have users with ' in their names, so you should escape the username, yes. For numbers, you could cast to (int) / intval() instead to make sure it's really a number and not something else. In a modern software everything would be escaped automatically by use of prepared statements, in MyBB you have to do it manually...
Ok, I'm having some issues when using (int) and intval(). When I use ......
$variable = intval($_POST['myinput']);
or
$variable = (int) $_POST['myinput'];
......my query wont run, when I remove (int) or intval() the query runs perfectly, weird or what ?