CodeIgniter Forums
escaping output in CodeIgniter - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forum-5.html)
+--- Forum: General Help (https://forum.codeigniter.com/forum-24.html)
+--- Thread: escaping output in CodeIgniter (/thread-68543.html)



escaping output in CodeIgniter - june123 - 07-24-2017

Filter Input, Escape Output.

After filtering input, I am using html_escape function to escape database output before displaying it in the browser.

Quote:$query = $this->db->query($sentstring); //returns list of users

$data['user'] = html_escape($query->result());

Now result() returns an array of objects and html_escape expects a string. So I am getting the error 

Quote:Message: htmlspecialchars() expects parameter 1 to be string, object given

Filename: core/Common.php

How do  resolve this issue? Also is my method of escaping output s proper way?


RE: escaping output in CodeIgniter - Martin7483 - 07-24-2017

$query->result() is a object.

You need to do html_escape from within your foreach loop


RE: escaping output in CodeIgniter - june123 - 07-24-2017

Thanks Martin.

So I have  to do escaping like this for all the fields to be displayed:

Quote:<?php
foreach($user as $loop) 
{  ?>
        <tr>
                <td><?php echo html_escape($loop->name);?></td>
        </tr>

<?php     } ?>



RE: escaping output in CodeIgniter - Martin7483 - 07-24-2017

It is one way of doing it.

You need the loop to display the list in your view anyway. So why not call html_escape from there


RE: escaping output in CodeIgniter - PaulD - 07-24-2017

Assuming you have turned your object into an array it should work without looping if you wanted to do it in the controller.

Here is the function from common.php

PHP Code:
if ( ! function_exists('html_escape'))
{

 
   function html_escape($var$double_encode TRUE)
 
   {
 
       if (empty($var))
 
       {
 
           return $var;
 
       }

 
       if (is_array($var))
 
       {
 
           foreach (array_keys($var) as $key)
 
           {
 
               $var[$key] = html_escape($var[$key], $double_encode);
 
           }

 
           return $var;
 
       }

 
       return htmlspecialchars($varENT_QUOTESconfig_item('charset'), $double_encode);
 
   }


So you should be fine with:
PHP Code:
$data['user'] = html_escape($query->result_array()); 


Paul

PS Isn't that a beautifully coded function. I love learning how to code better from the CI Core...


RE: escaping output in CodeIgniter - june123 - 07-25-2017

Thanks Paul for your reply.

This way I can do the escaping in the controller itself.

Quote:$roles = $this->db->query($sql1, array($role_id));

$data['role'] = html_escape($roles->result_array());  

$this->load->view('edit_user',$data);


But I am displaying the form values in the view as fields of an object and hence I will have to change them as array fields.

For example:

Quote:<div class="form-inline input-group">
       <?php
foreach($role as $loop) 
{ ?>
<?php   
if(isset($CheckTask[$loop->id]))
echo  "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' checked />&nbsp; $loop->name &nbsp;</label>";
else
echo  "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' />&nbsp; $loop->name &nbsp;</label>";
}
?>
</div>

Using this code, I display a user's assigned roles. 

Now when I try to change object fields as array fields, I get syntax errors.


RE: escaping output in CodeIgniter - Martin7483 - 07-25-2017

A quick fix for that

PHP Code:
$data['user'] = html_escape($query->result_array()); 

PHP Code:
foreach($role as $std
{
 
   $loop = (object)$std// Cast as an object to convert the array
    if(isset($CheckTask[$loop->id]))
        echo "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' checked /> $loop->name</label>";
    else
        echo "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' />$loop->name</label>";
}
?>



RE: escaping output in CodeIgniter - june123 - 07-25-2017

Thanks Martin.

Worked like a charm  Wink   Wink