2

I have code like this in my Joomla plugin:

$some_id = $_GET["someid"];

$db = JFactory::getDBO();
$db->setQuery("SELECT * FROM #__table WHERE id = '$some_id'");

$result = $db->loadRow();

Does Joomla sanitize this automatically, or i need to do something (and what) to sanitize this query ? Using Joomla 2.5.

Techie
  • 44,706
  • 42
  • 157
  • 243
SomeoneS
  • 1,207
  • 2
  • 19
  • 34

3 Answers3

3

There is no need to sanitize database queries when using Joomla. The information you are pulling down is the information that has put put there or already there, and thus you don't want to change. I would also recommend using Joomla 2.5 coding standards to make database queries, like so:

$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query->select($db->quoteName('*'))
      ->from($db->quoteName('#__table'))
      ->where($db->quoteName('id') . ' = ' . $db->quote($some_id));
$db->setQuery($query);
$rows = $db->loadRow(); //or loadResult()

The only time I have ever needed to sanitize (so to speak) something was when handling files, in which case I used JFile::makeSafe();.

Lodder
  • 19,758
  • 10
  • 59
  • 100
  • Are you sure Joomla's DB class takes care of santization automatically? I would at least use `$db->quote($some_id)` to be safe. See http://forum.joomla.org/viewtopic.php?p=2674222 – danronmoon Jan 08 '13 at 16:26
  • 1
    If you use the quote and quoteName it will escape unless you tell it not to. Also you can always cast the values to make sure they are the right type, ie. (int) $db->quoteName($some_id). I consider that a good practice because you should really consider all data untrustworthy. – Elin Jan 08 '13 at 17:15
1

Take a look at JInput and this corresponding documentation

Filter example:

$jinput = JFactory::getApplication()->input;
$some_id = $jinput->get('someid', '', 'string');
danronmoon
  • 3,814
  • 5
  • 34
  • 56
  • +1 Although not necessary to sanitize I agree with Elin that it is good practice. Plus it is very important as @danronmoom mentions to filter GET request. Good idea to use JFactory instead of JRequest which is now deprecated post 3.0. Error with example. It should be `jinput` instead of `input`. – Tom Feb 17 '13 at 15:41
  • Thanks for the correction. JInput is what is going to be eventually replacing JRequest, not JFactory. `$jinput` in this example is a JInput object. I consider explicit sanitization a healthy habit to get into, even if Joomla does this by default to lower the barrier to entry for newer users (much like PHP did with magic_quotes_gpc, which has since been removed as of PHP 5.4). – danronmoon Feb 18 '13 at 00:51
1

Please take a look at you will get your answer

Secure coding guidelines

http://docs.joomla.org/Secure_coding_guidelines

biswarupadhikari
  • 670
  • 8
  • 9