<, script and > inserted in DB - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: <, script and > inserted in DB (/showthread.php?tid=34793) |
<, script and > inserted in DB - El Forum - 10-09-2010 [eluser]shinokada[/eluser] I load helpers, form, url and database in a controller. I have the following model. Code: function entertest(){ When I enter < and > with script tag, it is inserted in DB. I was assuming CI will change < to & g t;, but it did not. According to the CI user guide, it says When you use $this->db->insert();, Note: All values are escaped automatically producing safer queries. I also used ", but it is in DB as it is. What am I doing wrong here? Thanks in advance. <, script and > inserted in DB - El Forum - 10-09-2010 [eluser]techgnome[/eluser] encoding < into > isn't the same as escaping it. Might want to look up the XSS filtering in the Users Guide. I think that will take care of that. -tg <, script and > inserted in DB - El Forum - 10-10-2010 [eluser]shinokada[/eluser] @techgnome: Yeap and thanks. XSS changes < script > to removed and < object > to special characters. I am wondering if CI has any class or helper to change html tags to special characters. For example <h1> to &l t ; etc. Or do I have to use htmlspecialchars? <, script and > inserted in DB - El Forum - 10-10-2010 [eluser]techgnome[/eluser] for some reason I was thinking the xss filtering would do that. My guess would be if there is a CI function, it would probably just be a wrapper for htmlspecialchars anyways, so odds are, probably not. -tg |