Escaping form inputs - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: Escaping form inputs (/showthread.php?tid=23559) |
Escaping form inputs - El Forum - 10-14-2009 [eluser]loonychune[/eluser] I was just working through a form, escaping the values in the controller(!) because I wanted to reuse the variables. So, I'm thinking of escaping the values something like this: Code: class Something extends Model { This seems an efficient way to do things if i had say, 5 or 6 functions reusing the $user and $pass values... I don't want to have to escape the values in EVERY method. What do you think??? I'm also curious about how to go FURTHER... i.e. MY_Controller pops up a lot in the forums and seems to be a way of implementing reusable functionality. Appreciate your input... Escaping form inputs - El Forum - 10-14-2009 [eluser]n0xie[/eluser] Why not use active record? It will escape your queries automatically for you. Escaping form inputs - El Forum - 10-14-2009 [eluser]loonychune[/eluser] Guess I ought to, but i found myself setting the 2nd or 3rd parameter in select() and where() to FALSE sometimes, which kinda went against the ethos of using the active record class I think. Escaping form inputs - El Forum - 10-15-2009 [eluser]n0xie[/eluser] [quote author="loonychune" date="1255598844"]Guess I ought to, but i found myself setting the 2nd or 3rd parameter in select() and where() to FALSE sometimes, which kinda went against the ethos of using the active record class I think.[/quote] Usually when you have a complex query that doesn't fit into the AR mould, it might be easier (and safer) to use prepared statements. In your case: Code: function delete($pass) Also be extra careful when passing strings to a destructive query (UPDATE and DELETE) where the delimiter is NOT an integer. If you pass a boolean FALSE to it or an empty string / NULL you might end up deleting the whole content of the table. This is a mistake you don't want to ever have to explain. Escaping form inputs - El Forum - 10-16-2009 [eluser]loonychune[/eluser] Thank you, much appreciated. |