I have code like this in my Joomla plugin:
$some_id = $_GET["someid"];
$db = JFactory::getDBO();
$db->setQuery("SELECT * FROM #__table WHERE id = '$some_id'");
$result = $db->loadRow();
Does Joomla sanitize this automatically, or i need to do something (and what) to sanitize this query ? Using Joomla 2.5.
There is no need to sanitize database queries when using Joomla. The information you are pulling down is the information that has put put there or already there, and thus you don't want to change. I would also recommend using Joomla 2.5 coding standards to make database queries, like so:
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query->select($db->quoteName('*'))
->from($db->quoteName('#__table'))
->where($db->quoteName('id') . ' = ' . $db->quote($some_id));
$db->setQuery($query);
$rows = $db->loadRow(); //or loadResult()
The only time I have ever needed to sanitize (so to speak) something was when handling files, in which case I used JFile::makeSafe();.
Please take a look at you will get your answer
Secure coding guidelines
http://docs.joomla.org/Secure_coding_guidelines
Take a look at JInput and this corresponding documentation
Filter example:
$jinput = JFactory::getApplication()->input;
$some_id = $jinput->get('someid', '', 'string');
Related
I'm building a custom component and I just want to get a value from the global config in my controller. I can't find any information about how to do this.
Something like...
$config = JFactory::getConfig();
$this->_db = $config->get('db');
The documentation on how to do it is slightly outdated:
http://docs.joomla.org/JFactory/getConfig
But if you check the code they actually drop the ampersand function:
https://github.com/joomla/joomla-cms/blob/staging/components/com_users/models/registration.php
$config = JFactory::getConfig();
$fromname = $config->get('fromname');
Also if you are trying to connect to the database you really can just use the DB object from JFactory.
$db = JFactory::getDbo();
Learn more about properly connecting to the database here:
http://docs.joomla.org/Accessing_the_database_using_JDatabase
Since Joomla 3.2:
JFactory::getApplication()->get($varname, $default);
See the reference
I have a question. In jos_users table there are columns referring to user details and such.
I can retrieve all other columns by using
$user = JFactory::getUser();
$userId = $user->get('columnname');
echo $userId;
But why can't I retrieve column user_group_id?
It returns nothing.
Seeing as you're using Joomla 1.5, you can use the following to get the user's usergroup:
$user = JFactory::getUser();
$user_type = $user->get('usertype');
echo $user_type;
Please bare in mind that 'usertype' was deprecated as of Joomla 1.6 so if you ever decide to upgrade to the latest Joomla version, this code will need to be replaced.
So I'm just trying to use xeditable (http://vitalets.github.io/x-editable/docs.html#gettingstarted) to make changes to my database via AJAX.
Since I'm new to this concept and I'm (forcefully) working with PHP for the first time, I need some help.
I setup the frontend part, and a script called (say) script.php is handling the data for me (I need to write the new value in my database).
I can't really understand what to do in the script. Can someone guide me towards it? The docs above don't really do it for me.
Looking in a project I worked on a few months back (sorry about the mysql_ stuff – not my choice!)
Something like:
<?
include your/database/connection_stuff.php;
// Can't remember if x-editable passes the table in as well or not
$table = mysql_real_escape_string($_GET['table']);
// If not,
$table = 'name_of_table';
$value = mysql_real_escape_string($_POST['value']);
$name = mysql_real_escape_string($_POST['name']);
$pk = mysql_real_escape_string($_POST['pk']);
$result = mysql_query("UPDATE `$table` SET `$name` = '$value' WHERE id = '$pk'");
?>
Will do the trick.
let´s say I have following id´s from articles (#__content)
3,4,5 and I want to know the SEO URLs for these ID´s within my template.
pseudo code:
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$db->setQuery($query);
$query
->select(array('a.seolink'))
->from('#__content AS a')
->where("a.id = '3'" );
Anyone knows a query or function which does the job?
with kind regards,
tony
If you have article slug ("id:alias") and category slug ("catid:catalias"), then you could do
$link = JRoute::_(ContentHelperRoute::getArticleRoute($slug, $catslug));
From #__content you can get id, alias and catid, so you just have to get category alias too (since I think it won't work without it, but you can try)
Offtopic: anyone interested in adding tag synonyms for Joomla, please give your opinion
I need to add a custom option to all products as they get saved. For that I need to find the function that inserts the products into the database, which I'm not able to find.
Please, any help would be appreciated.
thanx
$client = new SoapClient('http://www.magentolocal.it/api/?wsdl');
$session = $client->login('productloader', '1234567890');
$sku = "123456";
$attrs['name'] = "Template #1";
$attrs['description'] = "This is the first template.";
$attrs['short_description'] = "This is the short description of the template";
$attrs['websites'] = array('1');
$attrs['price'] = "11.53";
$attrs['categories'] = array('35');
$attrs['images'] = array()
$result = $client->call($session, 'catalog_product.create', array('simple', '63', $sku, $attrs));
echo $result;
$client->endSession($session);
Magento's EAV system is pretty strung out among several files, so you won't find a single function that accomplishes what you want. If you did go looking for it, and changed it, you would also be changing the same save method that mostly every other object in Magento uses, which is probably not what you want.
To do what you want, try setting up an observer/listener on the events that catalog products use when saving, namely catalog_product_save_before or catalog_product_save_after. That way, you don't have to hack the framework.
Hope that helps!
Thanks,
Joe
How about http://www.magentocommerce.com/wiki/doc/webservices-api/api/catalog_product#catalog_product.create?