Need help with insert and htmlspecialchars

Need help with insert and htmlspecialchars - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Need help with insert and htmlspecialchars (/showthread.php?tid=35279)

Need help with insert and htmlspecialchars - El Forum - 10-25-2010

[eluser]Unknown[/eluser]
Hi,

I am new to CodeIgniter and PHP classes. I like what I have seen of CodeIgniter and in an attempt to learn how it works I have been developing a few small personal projects. My latest project is a snippet database to store my coding snippets and I have run into a problem when inserting the code into the database.

To insert the code I have the following in the controller:

Code:
function addSnippet()

{

    $now = date('Y-m-d H:i:s');

    $data = array(

        'title' => $this->input->post('title'),

        'description' => $this->input->post('description'),

        'code' => $this->input->post('code'),

        'dateAdded' => $now,

        'catID' => $this->input->post('cat')

    );

    $this->code_model->add_snippet($data);

    $this->index();

}

In the model I have the following:

Quote:function add_snippet($data)
{
$this->db->set('title', $data['title']);
$this->db->set('description', $data['description']);
$this->db->set('code', $data['code']);
$this->db->set('dateAdded', $data['dateAdded']);
$this->db->insert('snippet');

$codeID = $this->db->insert_id();

$this->db->set('catID', $data['catID']);
$this->db->set('codeID', $codeID);
$this->db->insert('catSnippet');

return;
}

The problem is that when the script runs it appears to be applying htmlspecialchars to the data before it is inserted into the database so the PHP tags etc come out as <?php.

I would rather htmlspecialchars is applied before printing the data to a web page. How do I stop htmlspecialchars from being applied before it is inserted into the database?

Thank you for any help.

Need help with insert and htmlspecialchars - El Forum - 10-25-2010

[eluser]Unknown[/eluser]
It looks like I have found the solution.

For anyone who comes across this problem too, it was due to having global_xss_filtering set to true. I have set this to false and things work as expected.

Shouldn't htmlspecialchars only be applied when outputting the data to a web page and other ways used to sanitize user inputs?