CodeIgniter Forums

Full Version: Help me become a better developer!
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]awpti[/eluser]
So, I'm now on month 1 of CodeIgniter. Wow.

I'll post my Model and Controller (Only have one of each, for now) here.

What I'm specifically looking for:

Comments.

Be blunt, I can take it.

Tell me I'm doing something completely stupid if I am, in fact, doing something completely stupid.

I currently use Coolfactor's awesome View library.

So, without further adeu:

controller/blog.php

Code:
class Blog extends Controller {

private $awTitle = 'awpti.org - Where geeks roam free!';
private $awHeader = 'awpti.org';

function Blog() {
  parent::Controller();

  $this->load->model('blogmodel', 'blog', TRUE);
  
  //Set the header/footer template
  $this->view->part('header', 'common/header.php');
  $this->view->part('footer', 'common/footer.php');
}

function index() {
  $this->view->set('Title', $this->awTitle);
  $this->view->set('Header', $this->awHeader); //need to rename this variable. maybe later

  $this->view->set('Query_News', $this->blog->get_latest_news(3));;
  $this->view->load('blog/front');
}

function comments() {
  $this->view->set('Title', $this->awTitle.' (Comments)');
  $this->view->set('Header', $this->awHeader);

  if( !$this->uri->segment(2) || !ctype_digit($this->uri->segment(2)) ) {
   $this->view->set('Query_News',  $this->blog->get_latest_news(1));
   $this->view->set('Query_Comments', $this->blog->get_comments());
  } else {
   $this->view->set('Query_News', $this->blog->get_news_by_id( $this->uri->segment(2) ));
   $this->view->set('Query_Comments', $this->blog->get_comments( $this->uri->segment(2) ));
  }
  
  $this->view->set('CommentID', $this->uri->segment(2));
  
  $this->view->load('blog/comments');
}

/*

Code snipped for brevity, nothing to improve here as they are placeholders/static content

*/

} //end class. Duh.

And..

models/blogmodel.php

Code:
class Blogmodel extends Model {

function Blogmodel() {
  parent::Model();
}

function get_latest_news($limit) {
  $news = $this->db->query('SELECT *,
      IF( awNewsComments.comments_news_id IS NOT NULL, count( * ), 0 ) AS num_comments
      FROM awNews
      LEFT JOIN awNewsComments ON awNews.news_id = awNewsComments.comments_news_id
      GROUP BY awNews.news_id ORDER BY awNews.news_id DESC
      LIMIT '.$limit);
  return $news->result();
}

function get_comments($news_id = '') {
  if(!$news_id) {
   $query_comments = $this->db->query("SELECT * FROM awNewsComments WHERE comments_news_id = (SELECT MAX(news_id) FROM awNews) ORDER BY comments_id DESC");
  } else {
   $query_comments = $this->db->query("SELECT * FROM awNewsComments WHERE comments_news_id = {$news_id} ORDER BY comments_id DESC");
  }

  return $query_comments->result();
}

function get_news_by_id($news_id) {
  $news = $this->db->query('SELECT * FROM awNews WHERE news_id = '.$news_id);
  return $news->result();
}
}

I attempted to avoid any sort of logic in the models, but I couldn't devise any way to do it without creating a bunch of fluff, redundant functions.

To recap: Blast me as hard as you can, but throw some lessons in there, if possible.

El Forum

[eluser]batteries[/eluser]
"blast me as hard as you can".. haha, i like.

ok. fine.

how sure are you that your $limit variable is clean? cast to an integer you damn n00b!! like so.

Code:
$sql = 'blha lbha LIMIT '.(int)$limit;

also, setting your sql statements to variable will make things a little neater:

Code:
$sql = 'SELECT * FROM WHERE x = 4 ';
$sql.= 'AND this = $that';

$query = $this->db->query($sql);

also, i think it's better to check your db query results in the model. returning results on TRUE and error codes/FALSE on no result. but that's just me. this keeps the controller cleaner.

Edit,just incase: .. only cast to (int), values that numerical!

El Forum

[eluser]Rick Jolly[/eluser]
Two things come to mind:

1. escape your sql
Code:
// you could let CI escape your sql automatically by using query bindings:
$sql = "SELECT * FROM awNewsComments WHERE comments_news_id = ? ORDER BY comments_id DESC";
$this->db->query($sql, array($news_id));

2. beware of sql injection. For example, you could verify that $news_id is a number (and therefore you would know $news_id isn't some malicious sql). EDIT: Ah, you checked for a number, sorry I missed it the first time.

El Forum

[eluser]Rick Jolly[/eluser]
One more thing - I see you are using php 5 based on your private properties. You could use the php 5 constructor for the sake of consistency:
Code:
function __construct() {
  parent::Controller();
}
Note though that since CI is php 4 you can't call the parent constructor like this: parent::__construct();

Also, I'm not sure if you are aware but you don't need the constructor in the model since you aren't using it for anything. It doesn't hurt to have it though.

El Forum

[eluser]awpti[/eluser]
Thanks for the replies, gents!

I'm slowly working on the sql injections holes - mainly just checking if ctype_digit() against ID values.

Code:
if( !$this->uri->segment(2) || !ctype_digit($this->uri->segment(2)) ) {

If that little number fails, it just defaults to pulling the newest post and showing related comments.

As far as $limit - I always know that's going to be a numerical value. It's only ever passed internally.

( get_latest_news(3) )
( get_latest_news(1) )

I'll give that SQL Binding thing a try.

El Forum

[eluser]Rick Jolly[/eluser]
Another issue - xss. See the comments below:
Code:
function comments() {
  $this->view->set('Title', $this->awTitle.' (Comments)');
  $this->view->set('Header', $this->awHeader);

  if( !$this->uri->segment(2) || !ctype_digit($this->uri->segment(2)) ) {
   $this->view->set('Query_News',  $this->blog->get_latest_news(1));
   $this->view->set('Query_Comments', $this->blog->get_comments());
  } else {
   $this->view->set('Query_News', $this->blog->get_news_by_id( $this->uri->segment(2) ));
   $this->view->set('Query_Comments', $this->blog->get_comments( $this->uri->segment(2) ));
  }
  
  // This could be a problem since you are assigning potentially unclean data to the view.
  // You should move this into your "else" above.
  $this->view->set('CommentID', $this->uri->segment(2));
  
  $this->view->load('blog/comments');
}

El Forum

[eluser]awpti[/eluser]
I concur!

Didn't even think about that one. That's going to be part of my comment system - though most likely I'll do some hardcore sanity checking once I bring the comments to life. If ever (I can't get the forms looking good).

El Forum

[eluser]RaZoR LeGaCy[/eluser]
How does this measure up??

Code:
if ( !$this->uri->segment(3) || !ctype_digit($this->uri->segment(3)) ){

redirect('movies/');

} else {

$this->load->helper('text');

#$this->output->cache(0);
#$this->output->enable_profiler(TRUE);

#Queries

$this->db->where('rid', $this->uri->segment(3));
$data['reviews'] = $this->db->get('hellhorror_reviews');

}