On Mon, May 11, 2009 at 1:08 PM, Chad innocentkiller@gmail.com wrote:
Also, when using a LIKE, we've also got escapeLike() for sanitizing user input for %'s
And _'s. Those are easy to forget, but they need to be escaped too.
On Mon, May 11, 2009 at 1:40 PM, Chad innocentkiller@gmail.com wrote:
Yes, you need to escape all input before doing select or insert.
Not ideally. If you do something like
$dbr->select( 'page', 'page_id', array( 'page_namespace' => 0, 'page_title' => $unsanitized_user_input ) );
the values (second half) of the WHERE part will be automatically escaped. Manually escaping it will lead to double escaping. In fact, if you want a condition like 'page_id = rev_page', you need to do something like array( 'page_id = rev_page' ). Trying array( 'page_id' => 'rev_page' ) will give you "WHERE page_id = 'rev_page'".
So as Jan says, you only need to manually escape if you have to do a condition that requires you to use a raw string, like if you need to use functions or comparison operators other than equality (!=, <, >, LIKE, ...).