CodeIgniter Forums
<, script and > inserted in DB - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: <, script and > inserted in DB (/thread-34793.html)



<, script and > inserted in DB - El Forum - 10-09-2010

[eluser]shinokada[/eluser]
I load helpers, form, url and database in a controller.

I have the following model.

Code:
function entertest(){

        $data = array(
            'title' => $this->input->post('title'),
            'embed' => $this->input->post('embed'),
          
        );
        $this->db->insert('video',$data);
     }

When I enter < and > with script tag, it is inserted in DB.

I was assuming CI will change < to & g t;, but it did not.

According to the CI user guide, it says When you use $this->db->insert();, Note: All values are escaped automatically producing safer queries.

I also used ", but it is in DB as it is.

What am I doing wrong here?

Thanks in advance.


<, script and > inserted in DB - El Forum - 10-09-2010

[eluser]techgnome[/eluser]
encoding < into &gt; isn't the same as escaping it. Might want to look up the XSS filtering in the Users Guide. I think that will take care of that.

-tg


<, script and > inserted in DB - El Forum - 10-10-2010

[eluser]shinokada[/eluser]
@techgnome: Yeap and thanks.

XSS changes &lt; script &gt; to removed and &lt; object &gt; to special characters.

I am wondering if CI has any class or helper to change html tags to special characters.

For example <h1> to &l t ; etc.

Or do I have to use htmlspecialchars?


<, script and > inserted in DB - El Forum - 10-10-2010

[eluser]techgnome[/eluser]
for some reason I was thinking the xss filtering would do that. My guess would be if there is a CI function, it would probably just be a wrapper for htmlspecialchars anyways, so odds are, probably not.

-tg