Editor Security & Submitted Data Binding

Editor Security & Submitted Data Binding

rw152rw152 Posts: 56Questions: 15Answers: 1
edited November 2015 in General

If data is being submitted using the editor, is it required/recommended that we bind the data prior to saving to the database? Editor- Binding Submitted Data seems to suggest this is necessary for where conditions, but is it necessary for all other inputs (e.g. form inputs from editor)?

If so, is there more documentation on how to best accomplish binding the inputs? Sorry, I hope this isn't a re-post, but I couldn't find any references using search. Thanks!

This question has an accepted answers - jump to answer

Answers

  • allanallan Posts: 63,685Questions: 1Answers: 10,500 Site admin
    Answer ✓

    If you are using user submitted data, then yes, you absolutely show bind the data, otherwise you open yourself up to SQL injection attacks.

    Editor will bind all of the user submitted data that it uses itself (i.e. the submitted form), so you don't need to bind those values.

    Basically, if you use $_GET or $_POST in an SQL command, it must be bound.

    Allan

  • rw152rw152 Posts: 56Questions: 15Answers: 1

    Thanks!

This discussion has been closed.