MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Database Escape String
Full Version: Database Escape String
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Jambuster

2013-07-03, 10:22 AM
Ive just entered the following in a post on my testboard:

<style> type="text/css">
body {color: #000000 !important;}
</style>

I then checked my database and none of it was escaped nor was any html converted to symbols. It literally inserted it as its shown above. Is this normal or is there an issue here ? Im assuming that shouldn't be allowed to be posted directly into the database ?

Nathan Malcolm

2013-07-03, 10:40 AM
The database contains the raw data, it's escaped on output.

.m.

2013-07-03, 10:44 AM
edit: delayed response
post content is inserted into database as is!

Jambuster

2013-07-03, 11:02 AM
(2013-07-03, 10:40 AM)Nathan Malcolm Wrote: [ -> ]The database contains the raw data, it's escaped on output.

Ok but is allowing quotes 
value ('
an sql issue ?

Nathan Malcolm

2013-07-03, 11:08 AM
No, because the data is escaped. It's protected against SQL injection (mysql_real_escape_string()) but it inserts raw HTML.

Jambuster

2013-07-03, 11:14 AM
(2013-07-03, 11:08 AM)Nathan Malcolm Wrote: [ -> ]No, because the data is escaped. It's protected against SQL injection (mysql_real_escape_string()) but it inserts raw HTML.

Ok so if I was to do this:

$variable = $db->escape_string($_POST['myinput']);

I assume that would escape the input but place the quotes and all data in the database as raw data ?

If so, is it necessary to do something like this:
$variable = $_POST['myinput'];
$variable = $db->escape_string($variable);

Or does that make any difference, doubt it but thought I would mention it ?

Nathan Malcolm

2013-07-03, 11:23 AM
Correct.

There's no difference between:

$variable = $db->escape_string($_POST['myinput']);

and

$variable = $_POST['myinput'];
$variable = $db->escape_string($variable);

The first it preferred from a design point of view. Being specific to MyBB, $mybb->input['myinput'] is preferred to using $_GET or $_POST.

frostschutz

2013-07-03, 11:24 AM
There seems to be a misunderstanding somewhere.

A query like INSERT ... "your \' data"

inserts your ' data without the \. The escape only lives within the query string.

There's nothing wrong with that. As for escaping HTML, it has to be done on output, as you can not trust the database contents to be correctly escaped already.

Jambuster

2013-07-03, 11:31 AM
Oh ok so $mybb->input can be used (within a mybb defined page) to replace $_GET and $_POST ?

Just one more question on the escaping thing, so there's no way to physically see if the database is escaped or not, what I mean is if I use the following to escape data:

$variable = $db->escape_string($_POST['myinput']);

I should'nt be expecting to see this in the database ?

Quote:<style> type=\"text/css\">
body {color: #000000 !important;}
</style>

frostschutz

2013-07-03, 11:41 AM
No. If you use $db->escape_string($_POST['myinput']), it inserts $_POST['myinput'] unmodified.

It's only needed for the query itself, it does not change the data to be inserted.

When you query it, you get the original $_POST['myinput'] back too.
Pages: 1 2
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Database Escape String