[TYPO3-english] how to: properly escape strings in 4.5.30?
Xavier Perseguers
xavier at typo3.org
Thu Nov 21 20:39:55 CET 2013
Hi,
> My action begins like so:
>
> public function adminAction() {
> $prizes = $_POST['tx_bingoprizes_bingofrontend']['prize'];
Accessing $_POST is against the basic TYPO3 API usage best practices,
use t3lib_div::_POST() instead
> //at this point my prize[] elements are already quoted, why?
> foreach ($prizes as $key => $prize) {
> foreach ($prize as $field => $value) {
> // echo "Magic quotes is " . (get_magic_quotes_gpc() ? "ON" :
> "OFF");
magic quotes are deprecated, t3lib_div::_POST() does the magick for you
> // echo strip_tags($value) ;die;
> // OFF gets printed
> $cleanedValues[$field] =
> mysql_real_escape_string(strip_tags($value));
Use TYPO3 API $GLOBALS['TYPO3_DB'] and do not use mysql_* calls directly.
> }
> ... more code
> I am using typo3 v4.5.30 , is there a typo3 setting or possibly an
> extension api call made somewhere that calls does the escaping before my
> action code fires?
Yes, stick to TYPO3 API.
HTH
Xavier
--
Xavier Perseguers
Release Manager TYPO3 4.6
TYPO3 .... inspiring people to share!
Get involved: http://typo3.org
More information about the TYPO3-english
mailing list