CodeIgniter Forums
[CI4] Escaping ticket content message - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: [CI4] Escaping ticket content message (/showthread.php?tid=78252)



[CI4] Escaping ticket content message - Awlikhaleghi - 12-22-2020

Hey guys, I am trying to create a ticketing system and I had a question here.
do I need to use escapeString() while using a model->save($entity)?
if so, while using escapeString, after saving the TicketReply entity, the content message is something like this:
PHP Code:
test\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\ntest\r\
but I just need to be sure user is not submitting malicious code like js or html etc.

PHP Code:
// this is actually my question, do I need to escape this field or CI does it for me?
$reply $tickets->escapeString($this->request->getPost("reply_message"));
// Creating 
$replyMessage = new TicketReply;
$replyMessage->ticket_id $ticket->id;
$replyMessage->user_id $this->user->id;
$replyMessage->message $reply;

// insert new reply message ?
if(model("TicketReplyModel")->save($replyMessage))
{
    
// redirect with success message
}
else 
// failed to save replied message ... 

Thanks for taking the time.


RE: [CI4] Escaping ticket content message - kenjis - 12-25-2020

> need to be sure user is not submitting malicious code like js or html etc.

escapeString() has nothing to do with them.

https://codeigniter.com/user_guide/database/queries.html#escaping-queries