Quote:
Originally Posted by totaltec
I think you want to look at include/func/func.db.php
I believe these are the functions that you want to use, possibly func_array2insert
|
Thanks for your reply. I'm pretty well acquainted with that func.db.php file and the functions, but I was under the impression that these functions had all been tweaked over the years to prevent sql injection and handle automatic escaping. But, after further digging, it looks like this is not the case. I guess I've been spoiled by working with nice php frameworks the past few years where I don't have to worry about escaping as long as I use the frameworks' db functions. Looks like maybe there's some other code somewhere in xcart that handles escaping/sanitizing request vars, but it's not built into the actual db functions from what I can see. So, I've switched to using func_array2insert and passing the values array to it with func_addslashes. Now I've gotta go back through my code now and remove all the db_query stuff or make sure to run func_addslashes on all the vars first.