On Mon, May 11, 2009 at 1:08 PM, Chad <[email protected]> wrote: > Also, when using a LIKE, we've also got escapeLike() for sanitizing > user input for > %'s
And _'s. Those are easy to forget, but they need to be escaped too. On Mon, May 11, 2009 at 1:40 PM, Chad <[email protected]> wrote: > Yes, you need to escape all input before doing select or insert. Not ideally. If you do something like $dbr->select( 'page', 'page_id', array( 'page_namespace' => 0, 'page_title' => $unsanitized_user_input ) ); the values (second half) of the WHERE part will be automatically escaped. Manually escaping it will lead to double escaping. In fact, if you want a condition like 'page_id = rev_page', you need to do something like array( 'page_id = rev_page' ). Trying array( 'page_id' => 'rev_page' ) will give you "WHERE page_id = 'rev_page'". So as Jan says, you only need to manually escape if you have to do a condition that requires you to use a raw string, like if you need to use functions or comparison operators other than equality (!=, <, >, LIKE, ...). _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
