Escaping form inputs - Printable Version

Escaping form inputs - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Escaping form inputs (/showthread.php?tid=23559)

Escaping form inputs - El Forum - 10-14-2009

[eluser]loonychune[/eluser]
I was just working through a form, escaping the values in the controller(!) because I wanted to reuse the variables.

So, I'm thinking of escaping the values something like this:

Code:
class Something extends Model {

  public $user;

  public $pass;

  function escape_values($user, $pass) {

    $this->user = $this->db->escape($user);

    $this->pass = $this->db->escape($pass);

  }

  function use_values() {

    //now i can always refer to the variables

    $query = $this->db->query("DELETE FROM table WHERE pass = {$this->pass}");

  }

}

This seems an efficient way to do things if i had say, 5 or 6 functions reusing the $user and $pass values... I don't want to have to escape the values in EVERY method.

What do you think???

I'm also curious about how to go FURTHER... i.e. MY_Controller pops up a lot in the forums and seems to be a way of implementing reusable functionality.

Appreciate your input...

Escaping form inputs - El Forum - 10-14-2009

[eluser]n0xie[/eluser]
Why not use active record? It will escape your queries automatically for you.

Escaping form inputs - El Forum - 10-14-2009

[eluser]loonychune[/eluser]
Guess I ought to, but i found myself setting the 2nd or 3rd parameter in select() and where() to FALSE sometimes, which kinda went against the ethos of using the active record class I think.

Escaping form inputs - El Forum - 10-15-2009

[eluser]n0xie[/eluser]
[quote author="loonychune" date="1255598844"]Guess I ought to, but i found myself setting the 2nd or 3rd parameter in select() and where() to FALSE sometimes, which kinda went against the ethos of using the active record class I think.[/quote]
Usually when you have a complex query that doesn't fit into the AR mould, it might be easier (and safer) to use prepared statements.

In your case:

Code:
function delete($pass)

{

    $sql = "DELETE FROM table WHERE pass = ?";

    $query = $this->db->query($sql, array($pass));

}

Also be extra careful when passing strings to a destructive query (UPDATE and DELETE) where the delimiter is NOT an integer. If you pass a boolean FALSE to it or an empty string / NULL you might end up deleting the whole content of the table. This is a mistake you don't want to ever have to explain.

Escaping form inputs - El Forum - 10-16-2009

[eluser]loonychune[/eluser]
Thank you, much appreciated.