MyBB Community Forums

Hai

thanks a lot for the help last time!
the plug-in works very well, but I need to add some external code and it includes getting data with the GET method, username to be precise, and then use it in a mysql query in mybb_users table.

My question is, what is done to the input when people try to login before its used in a mysql query. I just want this external code to be just as safe, if not safer! =)

thanks

$user = $_GET['usename'];
$username = addslashes($user);

$db->query('users', 'username' 'username=\ $username');

I think

Basically adds "\" to " ' "

You might use $_POST not $_GET

(2010-03-23, 01:22 PM)tommykent1210 Wrote: [ -> ]
$user = $_GET['usename'];
$username = addslashes($user);

$db->query('users', 'username' 'username=\ $username');
I think

Basically adds "\" to " ' "

You might use $_POST not $_GET

I know the difference between post and get js, and I need to use the get method xD

EDIT: if that is all they do to the data before using it in a query, then thank you! =)

Basically all I did was add slashes to prevent SQL injection Smile

$username = $db->escape_string($mybb->input['username']);
$query = $db->simple_select("users", "*", "username = '{$username}'");

addslashes is not recommended for sanitisation as it does not necessarily handle character encodings correctly.

(2010-03-23, 11:14 PM)Yumi Wrote: [ -> ]addslashes is not recommended for sanitisation as it does not necessarily handle character encodings correctly.

So I should use escape_string? =)

mysql_real_escape_string!!

MMDE

Tom K.

MMDE

Tom K.

Matt

Yumi

MMDE