+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Best way to get validated form data into a database (/showthread.php?tid=13000)
Best way to get validated form data into a database - El Forum - 11-07-2008
[eluser]McNoggin[/eluser]
I have only been using CI for a month or 2 so I'm still pretty new at it. I was working on some forms today and realized I was writing more or less the same code over and over.
My controllers almost always do the following:
1. setup the validation rules
2. run the validation
3. build an array from the post data
4. pass array it into a model ($this->db->insert( 'tableName', $valPostData ), etc)
I'd like to know if there is a way to skip step 3, or at least make it a single call instead of one line for each field. The form_validator already knows all of the fields I care about because I created rules for them in step 1. I'm not going to insert any data the user input into my database that hasn't been ran through the validator.
My thinking (assuming it doesn't already exist and I just don't know about it) is to extend the form_validator and add a function that does this. Not sure of the variable names but more or less it would do the following:
Code:
function getValidPostData()
{
foreach($validation_rule as $rule)
{
$validPostData[ $rule['field'] ] = $this->input->post( $rule['field'] );
}
return $validPostData;
}Best way to get validated form data into a database - El Forum - 11-07-2008
[eluser]OES[/eluser]
If you are using 1.7 make the form fields as arrays.
ie.
<input type="input" name="myform[first_name]">
<input type="input" name="myform[last_name]">
Then after the form_validation run the data will be ready for collection. So you can pass your insert like.
$this->db->insert( ‘tableName’, $$this->input->post("myform"));
Hope this helps.
Best way to get validated form data into a database - El Forum - 11-07-2008
[eluser]McNoggin[/eluser]
Thanks, if that works it would be much easier then what I'm doing currently. My only concern about using that is that is it seems like a security risk. Say for example my users table has fields for id, name, group, email, birth_day, etc.
Now if I make a form that allows them to update their profile (email, bday, etc). If I did it the way you suggested wouldn't it be possible for an attacker to guess the data base columns and send an extra field along to change it. So for example the form may of only had a field for email address, but they added one for the group so now it would update their email address and allow them to be come admins, etc.
That was my reason for thinking about only getting fields that had validation rules.
Best way to get validated form data into a database - El Forum - 11-07-2008
[eluser]Pascal Kriete[/eluser]
You're right, you definitely want to filter what you're inserting. I use something similar to this (in an extended form validation class):
Code:
/**
* Filters allowed post keys
*
* @access public
* @param post data
* @return cleaned array
*/
function filter_input_data($data)
{
$allowed = $this->_field_data;
return array_intersect_key($data, $allowed);
}Then use it like this:
Code:
$db_clean = $this->validation->filter_input_data($_POST);[Edit: PHP >= 5.1 only]
Best way to get validated form data into a database - El Forum - 11-07-2008
[eluser]OES[/eluser]
Yes Correct and as per what inparo has said.
I do something very simular, In the model I check for unwanted data et.
Good Luck