+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Form validation (/showthread.php?tid=67535)
Form validation - jay101 - 03-06-2017
Hello ,
I'm doing a form validation in codeigniter like the following :
$this->form_validation->set_rules('first_name', 'First Name', 'trim|xss_clean|required');
if insert in my field the word "<script>" , the xss_clean is removing the word "<script>" and the field becomes empty and the required validation is bypassed and accepting the empty entry and it can be inserted in my database.
could you please help me with this .
Thanks
RE: Form validation - Narf - 03-06-2017
Apply xss_clean() on output, not before you store it.
RE: Form validation - jay101 - 03-06-2017
(03-06-2017, 10:43 AM)Narf Wrote: Apply xss_clean() on output, not before you store it.
Hi Narf , Thanks for replying , i just want to make sure i understand correctly . here is the situation :
if i do it this way
$this->form_validation->set_rules('first_name', 'First Name', 'required');
if someone put <script> , required will be ok ,
then if i apply the xss clean after that or let's say i move the post data to a variable and apply xss clean on it
the variable will become empty since xss clean will remove the <script> and required will never detect again