hi
i was trying to search the databse for usernames and then spit out the uid
to clean up the input username im currently using
$uname = htmlspecialchars_uni($mybb->input['uname']);
where uname is passed via _POST
www.localhost/mybb/test.php?uname=Darkmew
then i simply place in the query
$query = $db->simple_select("users","uid","username='$uname'");
$uid = $db->fetch_field($query,"uid");
Question
Do i have to place db->escape_strings stuff somewhere ...
$query = $db->simple_select("users","uid","username='".$db->escape_string($mybb->input['uname'])."'");
$uid = $db->fetch_field($query,"uid");
Probably better than htmlspecialchars_uni - I think MyBB just stores the username as an escaped string, then formats on output. Could be wrong though...
thanks mate ...i'll try that see if any "problems" pop up
Doh!!
yeah i was trying to pass it through POST not get
anyway it looks like that think will work
but any idea how i can test to see then no-one will try to attack the database using the input..
like what would they enter in the field
eg i have a place to enter the UId which i protected by
$uid = intval($mybb->input['uid']
so if they input a code or something theen only the numbers get processed
but what coud they enter in the text field..
*just asking for testing purposes*
Unless you have some JavaScript input filter on your text boxes, all textboxes can receive any character regardless of whether you want it to be alphabets, numerals, or symbols. (JavaScript does NOT prevent invalid form data in any way, you should always use sanitize your input from the server-side before using it anywhere).
Once it goes through intval in the PHP code, then it is guaranteed to be an integer.
i was referring to the place where they input the username
in that textbox you can enter text ...what could they enter there that db->escape_string
wouldn't clean
what would clean the above mentioned (if anything)
escape_string cleans the string for all \x00, \n, \r, \, ', " and \x1a (adding a backslash infront of it) this will make it insert in the database with no problem. If you do this as a standard you shouldn't have a problem, also intval on strings that should be integer.