KO3/Kohana3: How do we escape quotes (double and single) before saving to db with ORM using values()?

Question

Hello everyone!

I allow users to submit a question, and they should be able to have single quotes in their title. Currently, if a title contains a single quote, it will submit properly. $question->values($post_data); $question->save();

Any ideas on how I can set Kohana to escape that single quote / escape my information automatically? I would like to avoid having to addslashes() every input and removeslashes() every display...

Thank you so much, SO community! (This question is crossposted at http://forum.kohanaframework.org/comments.php?DiscussionID=6525)

Answer 1

Actually, you should never use addslashes() to escape DB values at all. Especially not in Kohana, since values are "escaped" while being saved ( example you're giving is ORM one, you can always mess up a custom DB query to get a MySQL injection / broken query ).

If you don't want something to get escaped, wrap it in DB::expr() ( so it'll return an instance of Database_Expression, which doesn't get automatically escaped ).

To escape a value manually, use Database::quote() (not static, call it through your Database object, e.g. $db->quote($value) ).