WBCE CMS Forum

edgolden

Member

How to sanitize user input in a module or admin tool

Hi,

When I use $database in the sanitation function, It throws an error and crashes the script.

if (isset($_POST['submit'])) {
  $new_field_value = mysqli_real_escape_string($database, $_POST['field_name']);
}

This is the error -

There was an unknown exception: mysqli_real_escape_string(): Argument #1 ($mysql) must be of type mysqli, database given in line (267) of /modules/pets_admin/funcs/getpets.php.

Could someone perhaps tell me how to properly sanitize an input string in a module or backend admin tool.

Thank you,
Ed

bernd

Developer

Re: How to sanitize user input in a module or admin tool

Help for self-help

For such intentions, a look into the /framework/class-database.php is often helpful.
There you can find e.g. the function "escape String":

    /**
     * Escapes special characters in a string for use in an SQL statement
     * @param string $unescaped_string
     * @return string
     */
    public function escapeString($unescaped_string)
    {
        if(empty($unescaped_string)) {
            return '';
        }
        return mysqli_real_escape_string($this->db_handle, $unescaped_string);
    }

So your call could be:

$new_field_value = $database->escapeString($_POST['submit']);

---

... nein in Europa verwenden wir beim Programmieren nicht € statt $ ...

edgolden

Member

Re: How to sanitize user input in a module or admin tool

To bernd,

Can't thank you enough for this information.  I am new at writing scripts for WBCE.  The advice you gave about checking the framework/class-database.php file will prove to be useful  --  I had no idea.

Thanks again,
Ed