On Mon, May 11, 2009 at 1:08 PM, Chad <innocentkiller(a)gmail.com> wrote:
Also, when using a LIKE, we've also got
escapeLike() for sanitizing
user input for
%'s
And _'s. Those are easy to forget, but they need to be escaped too.
On Mon, May 11, 2009 at 1:40 PM, Chad <innocentkiller(a)gmail.com> wrote:
Yes, you need to escape all input before doing select
or insert.
Not ideally. If you do something like
$dbr->select( 'page', 'page_id', array( 'page_namespace' =>
0,
'page_title' => $unsanitized_user_input ) );
the values (second half) of the WHERE part will be automatically
escaped. Manually escaping it will lead to double escaping. In fact,
if you want a condition like 'page_id = rev_page', you need to do
something like array( 'page_id = rev_page' ). Trying array( 'page_id'
=> 'rev_page' ) will give you "WHERE page_id = 'rev_page'".
So as Jan says, you only need to manually escape if you have to do a
condition that requires you to use a raw string, like if you need to
use functions or comparison operators other than equality (!=, <, >,
LIKE, ...).