Was testing my input boxes if they are vunerable to sql injections,
so was looking for a testing guide..
but all use username and password as exsamples

so went ahead and just trying to add some normal html
with and without ''

without '' <br> saves in db as &lt;br&gt;
and with ' ' around it shows a SQL error,
basicly showing the entire Insert into query line and content.

so need to work on some error handling
Wanted to lookup some articles on vbulletin sql error handling
but cant find any maybe im using wrong search words..

any suggestions ?

<a href="https://vborg.vbsupport.ru/showthread.php?t=154411" target="_blank">Create Secure Mods</a>

Create Secure Mods (https://vborg.vbsupport.ru/showthread.php?t=154411)

yeah well, allready got that covered, does not exclude the error display on sql error.

was looking for something more along the lines of error handling as we
would in C#,

On error goto (link to error handling)

ALL userimput i get from the template i handle like this

$vbulletin->input->clean_array_gpc('p', array(
'Rtitle' => TYPE_STR,

$Rtitle =& htmlspecialchars_uni($vbulletin->GPC['Rtitle']);


would you still be using $db->escape_string( for each insert in the db ?

inserting into db like this


Exsample

$db->query_write("INSERT IGNORE
INTO ".TABLE_PREFIX."mytesttable
(RID, Rtitle, Rdesc)
VALUES ('', '".$Rtitle."', '".$Rdesc."')
");

would you still be using $db->escape_string( for each insert in the db ?

Yes.

htmlspecialchars_uni is an output control and won't help prevent mysql errors from unescaped strings.

Yes.

htmlspecialchars_uni is an output control and won't help prevent mysql errors from unescaped strings.

omg, hehe thats alot of rewriting :p


okay got it working proberly including exspace_string on each var.. haha.. TX AGAIN!

If you are still using htmlspecialchars() before input into the database, you shouldn't be. As mentioned above, it is output control, and should only be used when displaying the data.