When building new modules for CMS MS does the "core" class provide any functionality to secure input parameters for SQL queries etc or do I need to do this myself?
I've looked through several module codes and I've seen $params['x'] being passed. Have these already been filtered?
Variable security functions?
-
calguy1000
- Support Guru
- Posts: 8169
- Joined: Tue Oct 19, 2004 6:44 pm
- Location: Fernie British Columbia, Canada
Re: Variable security functions?
in the admin, params are not cleaned.
For frontend actions, you can use the SetParameterType method (typically called in the SetParameters method) to specify the type of input params. and then, yes they are cleaned (entity conversion for strings, etc).
You also should use param-ized queries to the database. i.e:
For frontend actions, you can use the SetParameterType method (typically called in the SetParameters method) to specify the type of input params. and then, yes they are cleaned (entity conversion for strings, etc).
You also should use param-ized queries to the database. i.e:
Code: Select all
$foo = $db->GetOne('SELECT id FROM table WHERE name = ?',array($name));Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
Re: Variable security functions?
Thanks for you answer.
What would be the best way to setup a module so that the admin params are cleaned?
(I've only just started to learn the structure of CMS MS!)
What would be the best way to setup a module so that the admin params are cleaned?
(I've only just started to learn the structure of CMS MS!)
