Redundant or Safer? - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: Redundant or Safer? (/showthread.php?tid=12393) |
Redundant or Safer? - El Forum - 10-17-2008 [eluser]Jesse Schutt[/eluser] Hello All, I am collecting info from a form and posting it to my db using the following code. It occurred to me that the $post_data array that I have created might be redundant. Should I pass the _POST array to the model instead of writing my own $post_data array? Code: if ($this->validation->run() == FALSE) In other words, is this better practice? Is it safe? Code: if ($this->validation->run() == FALSE) Thanks in advance! Jesse Redundant or Safer? - El Forum - 10-17-2008 [eluser]SitesByJoe[/eluser] If there were values in your post that you didn't want to pass to the db or any additional information alterations needed you would certainly want to create a new array. This would typically follow up a successful validation check. Redundant or Safer? - El Forum - 10-17-2008 [eluser]Jesse Schutt[/eluser] Thanks for the thoughts! That makes good sense. Right now the POST array contains all the information I want to drop into a new record in the DB. Does Codeigniter sanitize the POST array? I read in the docs that the keys to the POST array are cleaned, but it doesn't mention anything else... Thanks! Redundant or Safer? - El Forum - 10-17-2008 [eluser]meigwilym[/eluser] The POST array accessed through Code: $this->input->post('value'); The $_POST is left untouched. http://ellislab.com/codeigniter/user-guide/libraries/input.html Mei Redundant or Safer? - El Forum - 10-17-2008 [eluser]Jesse Schutt[/eluser] Mei, Thanks! Let me make sure I am understanding what you are saying... Code: $this->input->('whatever_input_name_from_my_form_here'); Is that right? If so, that is what I was doing in my very first example. I am wondering if I can pass the entire $_POST variable to the method safely. Thanks for your input! Jesse Redundant or Safer? - El Forum - 10-17-2008 [eluser]JoostV[/eluser] If you use Code: $this->validation->whatever_input_name_from_my_form_here; This gives you more control over sanitizing input. However, if you're going to use input, it's Code: $this->input->post('whatever_input_name_from_my_form_here'); Code: $this->input->('whatever_input_name_from_my_form_here'); Finally, even if CI sanitizes a lot of your input, you should still always sanitize input. For instance, if you execute Code: $this->db->where('id', $id); Redundant or Safer? - El Forum - 10-17-2008 [eluser]Rick Jolly[/eluser] One thing to note is that validation works directly on the $_POST array and alters it according to your validation rules. I agree that you should specify the $_POST variables you want to pass to the model. You can automate the process a bit. I'd prep the values using validation and then create a helper to pass only the fields defined in validation to the model. |