CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

Variable security functions?

https://forum.cmsmadesimple.org/viewtopic.php?t=45218

Page 1 of 1

Variable security functions?

Posted: Mon Jun 28, 2010 8:12 pm
by WhatEver
When building new modules for CMS MS does the "core" class provide any functionality to secure input parameters for SQL queries etc or do I need to do this myself?

I've looked through several module codes and I've seen $params['x'] being passed.  Have these already been filtered?

Re: Variable security functions?

Posted: Mon Jun 28, 2010 8:38 pm
by calguy1000
in the admin, params are not cleaned.

For frontend actions, you can use the SetParameterType method (typically called in the SetParameters method) to specify the type of input params.  and then, yes they are cleaned (entity conversion for strings, etc).

You also should use param-ized queries to the database.  i.e:

Code: Select all

$foo = $db->GetOne('SELECT id FROM table WHERE name = ?',array($name));

Re: Variable security functions?

Posted: Mon Jun 28, 2010 9:52 pm
by WhatEver
Thanks for you answer.

What would be the best way to setup a module so that the admin params are cleaned?

(I've only just started to learn the structure of CMS MS!)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited