Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Do I have to escape user data retrieved from the database?
Do I have to escape user data retrieved from the database?
  • El Forum
    Guest
  •  
#1
08-15-2013, 08:33 PM

[eluser]behnampmdg3[/eluser]
***
This is not about SQL injection, this is about HTML escape.
***


Hi;

1 - In CI, when I insert data into the database and I need to retrieve and print on screen, do I have to escape for HTML or data retrieved from the database is automatically escaped?

For example do I have to use this code?
Code:
function html_escape($raw_input) {
    return htmlspecialchars($raw_input, ENT_QUOTES | ENT_HTML401, 'UTF-8');     // important! don't forget to specify ENT_QUOTES and the correct encoding
}


2 - What about $_POST. Do I have to escape that as well or is it automatically escaped?

Thank you
  • El Forum
    Guest
  •  
#2
08-16-2013, 05:28 AM

[eluser]Otemu[/eluser]
Hi,

Data is not automatically escaped from the database, you could sanitize the data returned from the database as a extra measure if you wish, normally validating data been submitted to the database is normally enough.

Check out Form Validation Class when submitting POST data.
Some tips can be found here http://ellislab.com/codeigniter/user-gui...urity.html

  • El Forum
    Guest
  •  
#3
08-16-2013, 07:08 PM

[eluser]jairoh_[/eluser]
it's not automatically escaped. you should do it on your own sir. Smile




Theme © iAndrew 2016 - Forum software by © MyBB