CodeIgniter Forums
Forms, loading data and updating database.. - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: Forms, loading data and updating database.. (/showthread.php?tid=13096)

Forms, loading data and updating database.. - El Forum - 11-11-2008

[eluser]julgus[/eluser]
With the code I fetch some data
Code:
$query = $this->db->query("select * from atable where id={$this->session->userdata('partner_id')}");
    if ($query->num_rows() > 0)
            $partner_info=$query->row_array();

I then call a view

Code:
if ($this->form_validation->run() == FALSE)
        {
            $this->load->view('aview',$partner_info);
        }
        else
        {
            $sqlstr=$_POST;
            unset($sqlstr['id']);
            $str = $this->db->update_string('atable', $sqlstr, "id={$this->session->userdata('partner_id')}");
            
            echo $str;
            
            //$this->db->query($str);
            //redirect('/partner');
        }

I want to use the update_string and therefore I use the $_POST array which I cleans from unwanted elements using the unset function. Is this a proper way of doing things or?

Furthermore I tried to use the set_value function in my form after passing the above query result. This didn't work - the function didn't return any data. Is it supposed to work like this?

Regards
Johan

Forms, loading data and updating database.. - El Forum - 11-12-2008

[eluser]lmv4321[/eluser]
It is very unsafe to insert data into your tables straight from the $_POST array (see XSS attacks). You should use the $this->input->post() function which makes sure the data is defined and clean. See http://ellislab.com/codeigniter/user-guide/libraries/input.html for more details.

So, to use:
Code:
if ($this->form_validation->run() == FALSE)
        {
            $this->load->view('aview',$partner_info);
        }
        else
        {
            // assumes fields of name, address, city, state, zip
            // replace with your field names
            $sqlstr = array(
               'name'    => $this->input->post('name', TRUE),
               'address' => $this->input->post('address', TRUE),
               'city'    => $this->input->post('city', TRUE),
               'state'   => $this->input->post('state', TRUE),
               'zip'     => $this->input->post('zip', TRUE),
            );
            $str = $this->db->update_string('atable', $sqlstr, "id={$this->session->userdata('partner_id')}");
            
            echo $str;
            
            //$this->db->query($str);
            //redirect('/partner');
        }