cartimus Posted March 1, 2013 Share Posted March 1, 2013 The virtual app code assumes Magic Quotes is disabled and uses mysqli_real_escape_string() directly...but my host provider has Magic Quotes enabled, so for that environment should I replace every mysqli_real_escape_string() statement with the 'escape_data()' function defined in 'mysql.inc.php'?For the IPN listener, if modified to process other fields, how would $_POST['payment_date'] be made safe to use in a query, or is it necessary for dates?Also for the IPN listener, is there a way to run the entire $_POST[] array from PayPal at once (i.e. something like 'escape_data($_POST[])', or each individual value you want to retain should be handled individually? Link to comment Share on other sites More sharing options...
Larry Posted March 2, 2013 Share Posted March 2, 2013 Yes, using escape_data() sounds like a good plan for you. $_POST['payment_date'] can be made safe by running it through an escaping function, applying regular expressions, or using prepared statements. In theory, dates are safe, but that's assuming it's a date value you're provided with and not something malicious. You can use the array_map() function to apply a function to an entire array. It does not work on multidimensional arrays, however. Link to comment Share on other sites More sharing options...
cartimus Posted March 4, 2013 Author Share Posted March 4, 2013 Thanks for the suggestions! Link to comment Share on other sites More sharing options...
WobbyBoy Posted March 11, 2013 Share Posted March 11, 2013 In ecommerce1, shouldn't we be using escape_data() instead of mysqli_real_escape_string() when checking forms anyway? Do we not want to be trimming the data off form fields like escape_data() does or at least adding trim to all the checks of the form fields in say register.php? Or if there is a reason we don't want to trim data off a particualr field, can we not add an else clause to escape_data() that matches the fields we dont want trimmed then returns an untrimmed version of the data? then that way making use of escape_data() in the application Regards, Rob Link to comment Share on other sites More sharing options...
Larry Posted March 11, 2013 Share Posted March 11, 2013 If I recall correctly, I defined escape_data() and then mistakenly didn't use it (this is on the errata page, I believe). So, yes, you'd want to use escape_data(). It's not the biggest issue one way or the other but... Link to comment Share on other sites More sharing options...
WobbyBoy Posted March 12, 2013 Share Posted March 12, 2013 Sorry didn't read the errata. Link to comment Share on other sites More sharing options...
Larry Posted March 12, 2013 Share Posted March 12, 2013 No need to apologize. Sorry I made the mistake! Link to comment Share on other sites More sharing options...
Recommended Posts