escaping quotes when updating db

escaping quotes when updating db - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: escaping quotes when updating db (/showthread.php?tid=54572)

escaping quotes when updating db - El Forum - 09-14-2012

[eluser]murichej[/eluser]
hi, i have one problem..

I get data from form and save them to database with jquery ajax. Everything works fine but the codeigniter is escaping quotes by itself.

I'm using jquery $.ajax (post method) to call controller wich calls model that updates data.

Example:
http://shrani.si/f/1Q/13B/ZSt63ED/q.png

escaping quotes when updating db - El Forum - 09-14-2012

[eluser]murichej[/eluser]
ajax code from view:

Code:
$('#save_personal').click(function() {

    $.ajax({

        type: "POST",

        url: "index.php/profile/savePersonalInformation",

        data: { name: $('#name').val(), surname: $('#surname').val(), about: $('#about').val() },

        success: function(ret) {

            if (ret)

                location.reload();

        },

    });

});

controller code:

Code:
public function savePersonalInformation()

{

    $id = $this->id_admin;

    $data['name'] = trim($_REQUEST['name']);

    $data['surname'] = trim($_REQUEST['surname']);

    $data['about'] = trim($_REQUEST['about']);

    $OK = $this->Admin_model->setPersonalInformation($id, $data);

    if ($OK) {

        echo 1;

        exit;

    }

}

model code:

Code:
function setPersonalInformation($id, $data)

 {

    $this->db->where('id', $id);

    $this->db->update('admin', $data);

    if ($this->db->affected_rows() == '1')

        return TRUE;

    return FALSE;

 }

escaping quotes when updating db - El Forum - 09-14-2012

[eluser]qcsites[/eluser]
You should actually allow it to escape quotes for security purposes then use stripslashes to remove them

Code:
&lt;?php

$str = "Is your name O\'reilly?";

// Outputs: Is your name O'reilly?

echo stripslashes($str);

?&gt;

escaping quotes when updating db - El Forum - 09-14-2012

[eluser]murichej[/eluser]
i'm writing some CMS with lots of data inputs and so on.. that means that i have to use stripslashes every single time? that's a bit annoying

escaping quotes when updating db - El Forum - 09-14-2012

[eluser]qcsites[/eluser]
You can use the following method to do it in the model http://www.greenacorn-webdesign.co.uk/web-design/codeigniter-stripslashes-method.php

Or you can create a function to use on your outputs.

The other option is to not use active records and write your queries. If you go this route and allow unescaped entries you leave your application vulnerable to SQL injection. Generally speaking a bad idea.

Sorry, part of the wonderful world of programming.

escaping quotes when updating db - El Forum - 09-14-2012

[eluser]murichej[/eluser]
thank you very much, i think that i will use stripslashing method in model.

escaping quotes when updating db - El Forum - 09-16-2012

[eluser]murichej[/eluser]
I have one problem using that method. This method changes associative array to non-associative arrays Tongue

edit: ok i wrote method for associative arrays. if somebody needs it, feel free to use it

Code:
/**

 * stripslashes for associative arrays

 * 

 * @access public

 * @param  array

 * @return array

 */

function stripslashes($object)

{

   $output = array();

   if (is_array($object))

   { 

       foreach ($object as $key => $val)        

       {

           $item = stripslashes($val);

           $output[$key] = $item;

       } 

   } 

   return $output;

}