MyBB Community Forums

Full Version: How does MyBB Clean Posted Variables?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
I know vBulletin has a way of "cleaning" data that is posted via a form (i.e. stripping it to nothing but text, or similar), though I've not yet seen how MyBB cleans the data upon browsing through the code.

Does MyBB have a class or function that cleans posted data automatically?

I need to run it through an entire form we're using for our customer backend and any help with this would be greatly appreciated.


Thanks,

Jonathan
$db->escape_string();
Do you perhaps have an example of use?

Say if I had $_POST['username'], $_POST['password'] ect, how would I run that through and clean the variables?
$username = $db->escape_string($_POST['username']);
$password = $db->escape_string($_POST['password']);

You obviously need access to MyBB's $db variable for this to work. It doesn't strip it "just to text", but it does make it safe to be put in the database.

If you want just text, you can use in in conjunction with PHP's "strip_tags" function.
One last question and I believe we should have it Smile.

So if I have:

$user = array (
	"firstname" => $mybb->input["firstname"],
	"lastname" => $mybb->input["lastname"],
);

Would I simply surround the $mybb->input['xxx'] with the $db->escape_string, just as with the $_POST variables, or should I use $_POST instead?
$user = array (
    "firstname" => $db->escape_string($mybb->input["firstname"]),
    "lastname" => $db->escape_string($mybb->input["lastname"]),
);
Great, thank you very much, I appreciate the help!


Thanks again,

Jonathan
$db->escape_string only make the string safe for database insertion. You need to use htmlspecialchars or strip_tags when displaying string you don't want to be parsed as HTML.
Also remember, that integers need to be passed through the intval() function upon database insertion.

This function ensures that the variable is indeed an integer, and will fail if the variable isn't an integer.

You can find a lot of good examples throughout the MyBB Code Base, and in the Wiki.
Appreciate the information, Ryan Smile.

We've got the basic form completed and it's working to standard and though we're not (yet) inserting integers into the database through the form, I will keep that in mind!


Thanks again everyone!
Pages: 1 2