CodeIgniter Forums
Safe data from database - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forum-21.html)
+--- Thread: Safe data from database (/thread-18899.html)



Safe data from database - El Forum - 05-21-2009

[eluser]Jagar[/eluser]
Is there any way to return safe data from database in CI, I tried to insert something with quotes, it does insert properly using Mysql_real_escape_string function, but when getting back, the form does not display properly.

Thanks


Safe data from database - El Forum - 05-21-2009

[eluser]janogarcia[/eluser]
Hi,

Have you tried using the Form helper to generate your form fields or alternatively the form_prep() function?


Safe data from database - El Forum - 05-21-2009

[eluser]Thorpe Obazee[/eluser]
[quote author="Jagar" date="1242948503"]Is there any way to return safe data from database in CI, I tried to insert something with quotes, it does insert properly using Mysql_real_escape_string function, but when getting back, the form does not display properly.

Thanks[/quote]

how does it 'not display properly'?


Safe data from database - El Forum - 05-21-2009

[eluser]Jagar[/eluser]
The site is on intranet, and not many people will be using it, but there are stupid people who will mess with it and will do anything to crash it.

I have a form(not used form helper), it adds certain data, so I was inserting the weirdest strings I could think of such as
Code:
[removed]
something like that, using the mysql_real_escape_string function it will only escape the double code. So I asking for a way to insert the data safely into the database which does it, and then retrieve it for display, I found htmlspecialchar function and htmlentities function which does the job, is there better way than using those functions in CI?

Thanks!


Safe data from database - El Forum - 05-21-2009

[eluser]Jagar[/eluser]
I didn't know it would remove javascript, what I had is javascript tags with no close double quote


Safe data from database - El Forum - 05-21-2009

[eluser]Jagar[/eluser]
I will try form_prep, and see how it goes.


Safe data from database - El Forum - 05-21-2009

[eluser]Tom Schlick[/eluser]
google the htmlpurifier it has alot of options for escaping things and replacing with entities. it can easily be dropped in as a CI library.


Safe data from database - El Forum - 05-22-2009

[eluser]Jagar[/eluser]
About the form prep, if I apply form_prep on results coming from database, and then load them into the form, for editing for example.

Is it going to change it back to normal html or it'll be saved as to what form_prep had changed to?