best practice against sql injections in module

[bess]

Hello everybody.

in the module that I realized (shoutbox) i took care to fight against sql injections with this function

Code: Select all

	function _cleanString($string)
	{
		$string = trim($string);
		$string = htmlentities($string, ENT_QUOTES, 'UTF-8');
		$string = mysql_real_escape_string($string);
		return $string;
	}

no problem since its establishment until today when a user alerted me to a problem with installation. After some research I found the error : Indeed, the user uses the database as follows

База данных сервера (server_db_type): MySQL (mysqli) _<

So my question: is there a solution in the API csmsms for escaping strings securely and regardless of the type of database user?

if appropriate, are there in the API the way to retrieve the necessary value: mysqli $link ?

thank you hugely in advance for your attention and your answers.

Bess

[bess]

first point I managed with a local version of Mysql 4.1.22 to reproduce the bug. 

after some research on internet and on this forum

http://forum.cmsmadesimple.org/index.ph ... ml#msg9539

I think the simplest way to reduce my code to this

function _cleanString($string)
{
$string = trim($string);
$string = htmlentities($string, ENT_QUOTES, 'UTF-8');
$string = mysql_real_escape_string($string);
return $string;
}

Indeed, using parameterized queries, as explained by SJG,

The safer way to do it would be to parameterize the query:

Code: Select all

$query= "SELECT * from ".cms_db_prefix()."table WHERE field=?";
$result = $db->Execute($query,array($var1));

In that case, ADODB escapes $var1, and it should theoretically be safe

I tried to hack my own installation, fortunately without success. So I think to keep my solution.