Do The Built In Database Queries In Cs-Cart (Db_Query, Db_Get_Row, Etc.) Automatically Escape Special Characters In The Statements, For Security?

Hi, so you know how you're supposed to not allow characters such as ';' into database queries so that people won't be able to insert an additional statement into your query.

For example

$string = 'value; DROP TABLE ?: table ';

db_queury(“SELECT * FROM ?:table WHERE field = ?s”, $string);

Do the db functions of CS-Cart automatically filter out those characters so that this won't happen?

Sure, placeholders are used for this feature

Thank you, I just wanted to know whether or not the functions already take care of this, or if I'd have to do it myself.

Your example will fail because the '?s' parameter will set your statement to read:

SELECT * FROM ?:table WHERE field ='value; DROP TABLE ?: table '

which will simply set 'field' to the full string you set it to. If your '$string' were set to

$string ='value\'; DROP TABLE ?: table '

Then it might have the effect you fear. I do believe (though never tired it) that db_query() will accept compound statements.