SQL escaping for queries using x-cart's db functions
 

I was just working on a mod for Xcart 4.6.1 and was under the impression that all the db functions do proper automatic escaping to prevent sql injection, but then I was using db_query() to insert a name with an apostrophe and it wasn't working so I looked at the function and it doesn't escape anything. So, what function should I be using to handle insert queries with automatic escaping of values? Should I not use db_query for anything anymore?

Re: SQL escaping for queries using x-cart's db functions
 

I think you want to look at include/func/func.db.php

I believe these are the functions that you want to use, possibly func_array2insert

Re: SQL escaping for queries using x-cart's db functions
 

Thanks for your reply. I'm pretty well acquainted with that func.db.php file and the functions, but I was under the impression that these functions had all been tweaked over the years to prevent sql injection and handle automatic escaping. But, after further digging, it looks like this is not the case. I guess I've been spoiled by working with nice php frameworks the past few years where I don't have to worry about escaping as long as I use the frameworks' db functions. Looks like maybe there's some other code somewhere in xcart that handles escaping/sanitizing request vars, but it's not built into the actual db functions from what I can see. So, I've switched to using func_array2insert and passing the values array to it with func_addslashes. Now I've gotta go back through my code now and remove all the db_query stuff or make sure to run func_addslashes on all the vars first.

Re: SQL escaping for queries using x-cart's db functions
 

Start with /auth.php and follow the includes, first few. I think most of the prep work is done in /prepare.php.

If your script starts with


you should be good and not needing to do any extra work unless you want to