Do I need to escape my strings or what?
#1
Hello,

I'm having a big doubt whether I need to escape strings or not. I know it sounds stupid, but I first thought "of course it has to be escaped" then looking at other plugins I noticed they weren't being escaped so I thought the DB class was doing it by itself when you insert something.

And well, just checked the MySQLi class and it doesn't seem to escape the strings before inserting, selecting or whatever the action is.

So, do I systematically need to escape the strings in the MyBB environment?

Thanks.
Reply
#2
Yes, its better to escape the strings.
Reply
#3
ALWAYS escape strings that are to be inserted by the user. No matter what. Not doing so pretty much leaves an invitation for problems.
Reply
#4
Do it even if your not sure. Better to be safe than sorry.
No longer involved in the MyBB project.
Reply
#5
Ok, thank you guys Smile
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)