Does vB have a built in function/class to sanitize cookies before storing to database?

Example:
$userdata->set('userVar', $_COOKIE[COOKIE_PREFIX . 'userVar']);

Or does $userdata->set do that?

you have to sanitize it by yourself.

If it's a number, you can simply use:
$userdata->set('userVar', (int)$_COOKIE[COOKIE_PREFIX . 'userVar']);
otherwise I suggest to either replace malicious strings or (better) use a strict regex to check that it only contains values that you expect.

Thanks Disasterpiece :)

I've while waiting for a reply been searching about.

Being that cookies can be manipulated (regardless of what I originally set them to) I want to make sure I'm not open to any MySQL injections.

If I'm reading things right, the following should work?

$vbulletin->input->clean_gpc('c', COOKIE_PREFIX . 'userVar', TYPE_STR);
$userdata->set('userVar', $vbulletin->GPC[COOKIE_PREFIX . 'userVar']);

Right?

--------------- Added 1305554055 at 1305554055 ---------------

Or maybe:
$userVar = $db->escape_string(trim($userVar));
$userdata->set('userVar', $userVar);
?

I think the first code you had was fine, because the data manager escapes the string before including it in a query. In fact it looks like it also calls clean() on it, so you probably wouldn't even have to do that.

I think you still should consider what you do wth the string when you get it back from the database, because although it was escaped to make it safe in a query, it hasn't necessarily been made safe for any purpose.

As long as you put it only into a query, it's fine because the only danger you have with a string in a query are control chars and quotes.
However, don't ever put this poorly sanitized string into an eval, otherwise you get hacked. Because then there is much more sanitizing necessary than only for queries.

open the includes/class_core.php search for the gpc class and see for yourself what gets masked and how the string gets sanitized so that you KNOW what happens.