CI2: data validation before inserting it in DB

CI2: data validation before inserting it in DB - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: CI2: data validation before inserting it in DB (/showthread.php?tid=32478)

CI2: data validation before inserting it in DB - El Forum - 07-24-2010

[eluser]diostm[/eluser]
Hello, I'm just get started with CI(CI2) and i created simple newsletter-webapp.

But i'm not sure about my validation:

Code:
$this->form_validation->set_rules(

            array(

                array(

                    "field" => "title",

                    "label" => "Title",

                    "rules" => "required|xss_clean"

                ),

                array(

                    "field" => "body",

                    "label" => "News body",

                    "rules" => "required|xss_clean"

                ),

                array(

                    "field" => "body_extra",

                    "label" => "Body extra",

                    "rules" => "xss_clean"

                ),

                array(

                    "field" => "author_login",

                    "label" => "Authors login",

                    "rules" => "required|xss_clean"

                )

            )

        );

        $_POST['id'] = 0;

        $_POST['author_id'] = 0;    //disable this in future

        $_POST['mtime'] = date("Y-m-d H:i:s", 3601 );

        $this->form_validation->set_error_delimiters('<p class="error">', '</p>');

        if (!$this->form_validation->run())    {

            $this->data['title'] = "News: Add (errors)";

            $this->load->view('news_add', $this->data);

        }

        else    {

            $this->data['title'] = "News: new post inserted";

            $this->load->view('news_inserted', $this->data);

            $this->db->insert('news', $_POST);

        }

Web form, from which i sent data:

Code:
&lt;?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');?&gt;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"

    "http://www.w3.org/TR/html4/strict.dtd">

&lt;html&gt;

&lt;head&gt;

    &lt;meta http-equiv="Content-type" content="text/html; charset=utf-8" /&gt;

    &lt;title&gt;&lt;?=$title?&gt;&lt;/title&gt;

&lt;/head&gt;

&lt;body&gt;

&lt;?=validation_errors()?&gt;

&lt;?php

echo "<p>",

    form_open('news/insert', array('class' => 'email', 'id' => 'myform')), "</p>",

    "<p>", form_input(array(

        "name" => "title",

        "value" => set_value("title", "Title")

    )), "</p>",

    "<p>",form_textarea(array(

        "name" => "body",

        "value" => set_value("body","News Body")

    )), "</p>",

    "<p>",form_textarea(array(

        "name" => "body_extra",

        "value" => set_value("body_extra","Extra body")

    )), "</p>",

    "<p>", form_input(array(

        "name" => "author_login",

        "value" => set_value("author_login","Author")

    )), "</p>",

    "<p>",form_submit(array(

        "value"=>"Submit"

    )), "</p>",

    form_close();

?&gt;

&lt;/body&gt;

&lt;/html&gt;

Table description in database:

Code:
CREATE TABLE  `cms`.`news` (

  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,

  `title` tinytext NOT NULL,

  `body` text NOT NULL,

  `body_extra` text NOT NULL,

  `ctime` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT 'creation time',

  `mtime` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'modification time',

  `author_id` int(11) NOT NULL,

  `author_login` tinytext NOT NULL,

  PRIMARY KEY (`id`)

) ENGINE=MyISAM AUTO_INCREMENT=64 DEFAULT CHARSET=latin1

----------------
Do i forgot something to check?

CI2: data validation before inserting it in DB - El Forum - 07-24-2010

[eluser]pickupman[/eluser]
What if you change:

Code:
$this->load->view('news_inserted', $this->data);

$this->db->insert('news', $_POST);

Code:
$this->db->insert('news', $_POST);

$this->load->view('news_inserted', $this->data);

You may find it useful to do a

Code:
foreach($_POST as $key => $value){

  $this->db->set($key, $value);

}

$this->db->insert('news');

As a bonus add this to your controller constructor

Code:
$this->output->enable_profiler(TRUE); // get all the CI goodness

CI2: data validation before inserting it in DB - El Forum - 07-25-2010

[eluser]diostm[/eluser]
Hm, thanks, but i mean, is it enough to control with a xss_clean function those params before inserting it in DB.

Will it be enough when i want to get some data from DB (selecting it) or there have to be some more extra validations(for example with mysql_real_esacpe_string or with its wrapper in CI $this->db->escape() or $this->db->escape_str()) ?

CI2: data validation before inserting it in DB - El Forum - 07-25-2010

[eluser]pickupman[/eluser]
Well, with any app, you don't want to assume a user is feeding you something naughty. Basically any input that you can't typecast like bool or int, you will want to run through xss_clean. The $this->db->set() will make your queries safe.

If you you the active record syntax for doing your queries, CI will take care of the security stuff for you.