Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

tep_db_prepare_input() vs tep_db_input()


Recommended Posts

In create_account.php, first the email string is sanitized:


$email_address = tep_db_prepare_input($HTTP_POST_VARS['email_address']);


Fine, it's made safe for the database.

But when it's used on the database, it's sanitized again using this second function:


$check_email_query = tep_db_query("select count(*) as total from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "'");



What's with that? Why is tep_db_input used to sanitize the string again? What did this function do that tep_db_prepare_input didn't?



Read the forum rules...

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...