Is htmlspecialchars & mysql_real_escape_string necessary with the input class ?

Is htmlspecialchars & mysql_real_escape_string necessary with the input class ? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Is htmlspecialchars & mysql_real_escape_string necessary with the input class ? (/showthread.php?tid=42902)

Is htmlspecialchars & mysql_real_escape_string necessary with the input class ? - El Forum - 06-23-2011

[eluser]pyrokinesis[/eluser]
Hi everyone,

I'm wondering are the 'htmlspecialchars' & 'mysql_real_escape_string' functions necessary (post input into DB) when using the CI input class or will the input class do it all for me already?

Code:
$data = ci()->input->post($element);

if(!empty($data))

{

  $data = htmlspecialchars($data);

  $data = mysql_real_escape_string($data);

  return $data;

}

Thanks

Is htmlspecialchars & mysql_real_escape_string necessary with the input class ? - El Forum - 06-23-2011

[eluser]toopay[/eluser]
If you use $this->input or AR, yes.

Is htmlspecialchars & mysql_real_escape_string necessary with the input class ? - El Forum - 06-23-2011

[eluser]pyrokinesis[/eluser]
Hey toopay,

Thanks for the reply... Yup they are necessary or nope I don't need the htmlspecialchars/realecsapemysql functions if I use AR & the Input class?

Thanks :coolsmile:

Is htmlspecialchars & mysql_real_escape_string necessary with the input class ? - El Forum - 06-23-2011

[eluser]osci[/eluser]
nope

Is htmlspecialchars & mysql_real_escape_string necessary with the input class ? - El Forum - 06-23-2011

[eluser]pyrokinesis[/eluser]
Danke

Is htmlspecialchars & mysql_real_escape_string necessary with the input class ? - El Forum - 06-23-2011

[eluser]InsiteFX[/eluser]
If you use:

Code:
$this->input->post('some_data');

// you need to use the second parameter for protection if global XSS Filtering is not used!

$this->input->post('some_data', TRUE);

Read this!

Input Class

InsiteFX

Is htmlspecialchars & mysql_real_escape_string necessary with the input class ? - El Forum - 06-23-2011

[eluser]toopay[/eluser]
Let me repeat. If you use $this->input(and set TRUE to second parameter) or AR(CI ActiveRecord), yes the input class and the AR do it all for you already.

Is htmlspecialchars & mysql_real_escape_string necessary with the input class ? - El Forum - 06-25-2011

[eluser]pyrokinesis[/eluser]
Thanks for the replies guys, never can be 2 sure Smile