#smp_best-practices

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1233385746422038558

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Hi, let me help you with this.

I don't think it's a valid concern since you're only using user input for email and address, and not using any kind of string interpolation to build the request object.

Yeah it was just an example for any case not just adress. But would you say that I wont need any kind of sanitize functions like sanitize_text_field and so on? Or can I just use the data directly from database/ user input

For the particular case that you shared, no there's no need to sanitize the input. You could probaby check if the $Email is a valid email string to raise an error early, but since you're not doing any string interpolation it is not a concern.

Alright thanks. I also use this: if(!empty($other_price_name_one) && !empty($other_price_one)){
$other_costs_one =
[
'price_data' => [
'currency' => 'eur',
'product_data' => ['name' => $other_price_name_one],
'unit_amount' => $other_price_one,
],
'quantity' => 1,
];
} and insert it into the array for invoice->create. Moreover I use this in accounts->create 'business_profile' => [
'name' => $first_name . ' ' . $last_name,
], Is it also okay to leave them like this or does this fall under the string interpolation that you just mentioned.

SQL injection type of attacks can only happen if the control structures and data live in the same space, e.g. both part of the same string. However, in your case control structures are written as code, and data as strings within that code. Which means data can't change the flow of control. So you should be good.

Ouh i see, so in worst case stripe doesnt use the user input or throws an error. Thanks vanya appreciate your help!

If its okay I have a few more questions unrelated to this, as I can't open a new thread in #help

I want to create invoices for my connected accounts. As of regulatory reasons the invoice must contain the adress of the individual of the connected account and the VAT ID or tax ID (called Steuernummer) of the connected account as in Germany there are two kind of tax ids. My first question is: Why is no adress shown in the invoice although I used on_behalf_of and issuer for the connected account. The tax ID is also not available: After using the API for creating a EU VAT ID and after the success message is shown, there is still an error when I try to attach the tax ID to the connected account. My second question is: The Steuernummer I mentioned earlier cannot be created via tax ID as only eu vat is supported. Isn't there a way to involve it anyway, as the Steuernummer has a different format (XXXXX/XXXXX) compared to the VAT (DEXXXXXXXXX). Btw I currently use the test mode for this and the business types are individual where I want to use the address from individual.address.

From what I understand you're trying to add the Steuernummer to the Invoices as well as EU VAT ID?

Not necessarily. In Germany you can have a Steuernummer without a EU VAT ID

However you need to either include Steuernummer or VAT ID

Not both, but in some cases the user only has Steuernummer

But as far as I understand, Steuernummer can't be used as the tax id within Stripe, right?

You can display up to 4 custom fields on an Invoice, you could use it to display the Steuernummer: https://docs.stripe.com/api/invoices/create#create_invoice-custom_fields

Yeah thought about that too, but I hoped there was another solution. Any chance you add custom tax ids like in the future?

Ouh and is there also a solution for the address of the connected account or should I insert it into footer?

Feel free to reach out to Stripe Support and submit a feature request: https://support.stripe.com/?contact=true

Not sure if there's a way to set it automatically, so footer is a good workaround: https://docs.stripe.com/api/invoices/create#create_invoice-footer

Alright appreciate your help vanya! Have a greatday!

Happy to help.

You too!