On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Taken from the PHP documentation, this works as-is for PHP >= 4.3 to keep evildoers from trying to hack your database. Remember, evildoers can work around any client-side javascript validation!

    If you are using the MODx DBAPI, remove the part that sets the single quote if not integer, since MODx adds single quotes.

    function quote_smart($value)
    {
       // Stripslashes
       if (get_magic_quotes_gpc()) {
           $value = stripslashes($value);
       }
       // Quote if not integer - remove or comment out if using MODx DBAPI
       if (!is_numeric($value)) {
           $value = "'" . mysql_real_escape_string($value) . "'";
       }
    
    // if using MODx DBAPI uncomment this
    //  $value = mysql_real_escape_string($value);
    
       return $value;
    }


    Filter all of your incoming data through this:

    $val1 = quote_smart($_POST['value1']);
    $val2 = quote_smart($_POST['value2']);
    $query = "INSERT INTO $dbase.$table (`field1`, `field2`) VALUES ($val1, $val2)";
      Studying MODX in the desert - http://sottwell.com
      Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
      Join the Slack Community - http://modx.org
    • Thanks for sharing susan.

      There’s also safehtml for XSS

      http://pixel-apes.com/safehtml/
        xWisdom
        www.xwisdomhtml.com
        The fear of the Lord is the beginning of wisdom:
        MODx Co-Founder - Create and do more with less.
      • Now that’s a really cool bit of code. Nice find Raymond!
          Ryan Thrash, MODX Co-Founder
          Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
        • Quote from: xwisdom at Feb 09, 2006, 04:12 PM

          Thanks for sharing susan.

          There’s also safehtml for XSS

          http://pixel-apes.com/safehtml/

          Great piece of code! I was doing something like this just recently but this is way better, thanks for the link! grin

          ---Indie
          • This is nice, because until there is a MODx DB API available for external use, such as in AJAX requests, the back-end request handling code needs to thoroughly validate all incoming data before it gets used.
              Studying MODX in the desert - http://sottwell.com
              Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
              Join the Slack Community - http://modx.org