Inserting data into the database

lukgoh	#1 2012-01-11 11:09
Members Thanked: 12 times	I'm new to extension development and I was wondering what the safest way is to insert user data into the database. I have a form for users to fill out and I was just curious about SQL injections. Luke.

Dave	#2 2012-01-11 18:19
Members Thanked: 3 times	im not sure if i understand u correct but why not use user extrafields ? Your advertisement here :-) Cotonti Genoa based site: forgotten-garage.pl

lukgoh	#3 2012-01-11 18:30
Members Thanked: 12 times	I was wondering if Cotonti had a function I needed to use to check the data being inputed, to stop any possible SQL injections from the form? I didn't think of using the user extrafields, but in the interest of learning I would still like an awnser to this question. Luke.

Dave	#4 2012-01-12 00:50
Members Thanked: 3 times	my small conclusion: i cant answer u @ ur question but im almoust sure (without knowing code) that cotonti / user_extra wont allow any SQL in the form, thats how i'd design it and probably how cot devs did it forgive me my english, its weak sometimes :) Your advertisement here :-) Cotonti Genoa based site: forgotten-garage.pl

lukgoh	#5 2012-01-12 00:55
Members Thanked: 12 times	Thank you Dave, I appreciate your effort to help me. I am pretty sure that the user extrafields use the same functions as other core queries so I guess I can work it out from those.

Dyllon	#6 2012-01-12 04:39
Contributors Thanked: 16 times	The safest way I'm aware of is by defining what the variable contains when inserting, or updating it to your sql table. You can accomplish that by doing something like this: $variable_int = 0; $variable_string = 'string'; $db->insert($db_table_name, array( 'field_name' => (string) $variable_string, 'field_name' => (int) $variable_int )); We are what we repeatedly do. Excellence then, is not an act, but a habit.

Dyllon

#6 2012-01-12 04:39

Contributors
Thanked: 16 times

The safest way I'm aware of is by defining what the variable contains when inserting, or updating it to your sql table. You can accomplish that by doing something like this:

$variable_int = 0;
$variable_string = 'string';

$db->insert($db_table_name, array(
	'field_name' => (string) $variable_string,
	'field_name' => (int) $variable_int
));

We are what we repeatedly do. Excellence then, is not an act, but a habit.

GHengeveld	#7 2012-01-12 11:25
Team Thanked: 52 times	Dyllon is correct. This is the syntax for Siena. For Genoa you'll need to do sed_sql_prep() on strings and cast numbers to int or float. You can use extrafields to add the fields to the database table and then use regular queries like this to insert/update/select/delete etc. However, extrafields is only available for users, pages and structure.

lukgoh	#8 2012-01-12 11:34
Members Thanked: 12 times	Thank you guys!

GHengeveld	#9 2012-01-12 16:16
Team Thanked: 52 times	If you intend to build something that uses it's own database table such as a custom module, you might want to consider using SimpleORM. It's a bit more complex but will save a lot of development time.

lukgoh	#10 2012-01-12 17:54
Members Thanked: 12 times	Yeah it is using its own tables. Awesome, this looks very useful! Thank you GHengeveld. I'll post here if I need any more help.