Valtasar Posted January 17, 2018 Posted January 17, 2018 Hi, Now that I have almost finished converting *a lot* of code from IPS3 to IPS4, I start to worry about security issues: Here it states that: "This means that all request data should be considered potentially tainted and you will need to take precautions not to introduce security issues by relying upon "clean" request data from this class.". But what exactly is the best way to do this "cleaning", before, e.g. inserting a user text in the database? Back in IPS3, I just used: "$this->DB->addSlashes" and I felt quite secure. Is there something similar I can do in IPS4, because I have a lot of code, and converting all my forms to use the new IPS4 Form Helper may not be so easy....
bfarber Posted January 18, 2018 Posted January 18, 2018 Your best bet is to use prepared statements where possible. For inserts and updates this is handled automatically, except in the where clause where you would do array( 'column=?', $value ) We do not "clean" the data on insert, we clean it on output. In templates this is largely handled automatically, and when you need to display a raw value that may legitimately contain HTML you use the |raw modifier.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.