The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
vbulletin input clean classes
Hi,
I am trying to make a vbulletin powered custom page which is a html form. The user fills the form and the data is entered into the database. I use the database classes of vBulletin to connect to the database and insert values. My problem is that i use a insert statement as $var1 = $_REQUEST["var1"]; INSERT INTO TABLE VALUES (1, '$var1'); Now, if $var1 already contains a single quotes, i get an database error on submitting the form. Is there some class of vBulletin that i can use to insert the data into the database so that the database stores ' as well. Also, is there a easy way to prevent SQL injection? Thanks |
#2
|
|||
|
|||
I figured how to escape the single quotes error. I used the following code
Code:
$vbulletin->input->clean_array_gpc('p', array( 'name' => TYPE_STR, 'category' => TYPE_NOCLEAN, 'contact' => TYPE_STR, )); $db->query_write("INSERT INTO table (id,name,category,contact) values ('','". $db->escape_string($vbulletin->GPC['name']) ."', '". $db->escape_string($vbulletin->GPC['category']) ."','". $db->escape_string($vbulletin->GPC['contact']) ."')"); eval('print_output("' . fetch_template('testtemplate') . '");'); I hope my question is clear. Please help me |
#3
|
|||
|
|||
Pls help!!
|
#4
|
|||
|
|||
Use the function
nl2br() after it is retrieved from the database. |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|