escaping output in CodeIgniter |
Filter Input, Escape Output.
After filtering input, I am using html_escape function to escape database output before displaying it in the browser. Quote:$query = $this->db->query($sentstring); //returns list of users Now result() returns an array of objects and html_escape expects a string. So I am getting the error Quote:Message: htmlspecialchars() expects parameter 1 to be string, object given How do resolve this issue? Also is my method of escaping output s proper way?
$query->result() is a object.
You need to do html_escape from within your foreach loop
Thanks Martin.
So I have to do escaping like this for all the fields to be displayed: Quote:<?php
It is one way of doing it.
You need the loop to display the list in your view anyway. So why not call html_escape from there
07-24-2017, 10:56 AM
(This post was last modified: 07-24-2017, 11:05 AM by PaulD. Edit Reason: Clarification )
Assuming you have turned your object into an array it should work without looping if you wanted to do it in the controller.
Here is the function from common.php PHP Code: if ( ! function_exists('html_escape')) So you should be fine with: PHP Code: $data['user'] = html_escape($query->result_array()); Paul PS Isn't that a beautifully coded function. I love learning how to code better from the CI Core...
Thanks Paul for your reply.
This way I can do the escaping in the controller itself. Quote:$roles = $this->db->query($sql1, array($role_id)); But I am displaying the form values in the view as fields of an object and hence I will have to change them as array fields. For example: Quote:<div class="form-inline input-group"> Using this code, I display a user's assigned roles. Now when I try to change object fields as array fields, I get syntax errors.
A quick fix for that
PHP Code: $data['user'] = html_escape($query->result_array()); PHP Code: foreach($role as $std) |
Welcome Guest, Not a member yet? Register Sign In |