$date = date("Y-m-j");
$author = $user->name;
$query = $db->getQuery(true);
$query = "INSERT INTO `#__gcmails` (`author`, `functie`, `type`, `date`,`subject`,`message`) VALUES ('$author','$func','$type','$date',$db->quote('$subject'),$db->quote('$message'))";
$db->setQuery( $query );
$db->execute();
--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To post to this group, send email to joomla-de...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-general.
For more options, visit https://groups.google.com/d/optout.
Op 24 oktober 2015 bij 20:56:27, Mike Smith (b10...@gmail.com) schreef:
Op 24 oktober 2015 bij 21:43:46, Mike Smith (b10...@gmail.com) schreef:
Op 24 oktober 2015 bij 22:03:34, Mike Smith (b10...@gmail.com) schreef:
Op 24 oktober 2015 bij 22:09:21, 'Hannes Papenberg' via Joomla! General Development (joomla-de...@googlegroups.com) schreef:
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To post to this group, send an email to joomla-de...@googlegroups.com.
$query = "INSERT INTO `#__gcmails` (`author`, `functie`, `type`, `date`,`subject`,`message`) VALUES ('$author','$func','$type','$date'," . $db->quote('$subject') . ", " . $db->quote('$message') . ")";
Op 27 oktober 2015 bij 17:37:17, cdcvineyard (chri...@gmail.com) schreef:
--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To post to this group, send email to joomla-de...@googlegroups.com.
But that will still not properly quote all your input. If someone sends
in "');UPDATE #__users SET password = MD5('secret');" for $author, all
your passwords are suddenly set to "secret". Which is why everything
needs to be quoted.
In this special case the last 2 %s would not have to be put into single
quotes, since they are already quoted with $db->quote().
Hannes
Am 28.10.2015 um 16:22 schrieb cdcvineyard:
> Another option would be to use the sprintf command to fill data into a
> formatted string. such as:
>
> $query = sprintf("INSERT INTO `#__gcmails` (`author`, `functie`,
> `type`, `date`,`subject`,`message`) VALUES ('%s','%s','%s','%s', '%s',
> '%s')", $author, $func, $type, $date,$db->quote('$subject'),
> $db->quote('$message');
>
> This is a little easier to read and determine where/what the variables
> are.
> --
> You received this message because you are subscribed to the Google
> Groups "Joomla! General Development" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to joomla-dev-general+unsub...@googlegroups.com
> <mailto:joomla-dev-general+unsub...@googlegroups.com>.