+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: escaping output in CodeIgniter (/showthread.php?tid=68543)
escaping output in CodeIgniter - june123 - 07-24-2017
Filter Input, Escape Output.
After filtering input, I am using html_escape function to escape database output before displaying it in the browser.
Quote:$query = $this->db->query($sentstring); //returns list of users
$data['user'] = html_escape($query->result());
Now result() returns an array of objects and html_escape expects a string. So I am getting the error
Quote:Message: htmlspecialchars() expects parameter 1 to be string, object given
Filename: core/Common.php
How do resolve this issue? Also is my method of escaping output s proper way?
RE: escaping output in CodeIgniter - Martin7483 - 07-24-2017
$query->result() is a object.
You need to do html_escape from within your foreach loop
RE: escaping output in CodeIgniter - june123 - 07-24-2017
Thanks Martin.
So I have to do escaping like this for all the fields to be displayed:
Quote:<?php
foreach($user as $loop)
{ ?>
<tr>
<td><?php echo html_escape($loop->name);?></td>
</tr>
<?php } ?>
RE: escaping output in CodeIgniter - Martin7483 - 07-24-2017
It is one way of doing it.
You need the loop to display the list in your view anyway. So why not call html_escape from there
RE: escaping output in CodeIgniter - PaulD - 07-24-2017
Assuming you have turned your object into an array it should work without looping if you wanted to do it in the controller.
Here is the function from common.php
PHP Code:
if ( ! function_exists('html_escape'))
{
function html_escape($var, $double_encode = TRUE)
{
if (empty($var))
{
return $var;
}
if (is_array($var))
{
foreach (array_keys($var) as $key)
{
$var[$key] = html_escape($var[$key], $double_encode);
}
return $var;
}
return htmlspecialchars($var, ENT_QUOTES, config_item('charset'), $double_encode);
}
}
So you should be fine with:
PHP Code:
$data['user'] = html_escape($query->result_array());
Paul
PS Isn't that a beautifully coded function. I love learning how to code better from the CI Core...
RE: escaping output in CodeIgniter - june123 - 07-25-2017
Thanks Paul for your reply.
This way I can do the escaping in the controller itself.
Quote:$roles = $this->db->query($sql1, array($role_id));
$data['role'] = html_escape($roles->result_array());
$this->load->view('edit_user',$data);
But I am displaying the form values in the view as fields of an object and hence I will have to change them as array fields.
For example:
Quote:<div class="form-inline input-group">
<?php
foreach($role as $loop)
{ ?>
<?php
if(isset($CheckTask[$loop->id]))
echo "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' checked /> $loop->name </label>";
else
echo "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' /> $loop->name </label>";
}
?>
</div>
Using this code, I display a user's assigned roles.
Now when I try to change object fields as array fields, I get syntax errors.
RE: escaping output in CodeIgniter - Martin7483 - 07-25-2017
A quick fix for that
PHP Code:
$data['user'] = html_escape($query->result_array());
PHP Code:
foreach($role as $std)
{
$loop = (object)$std; // Cast as an object to convert the array
if(isset($CheckTask[$loop->id]))
echo "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' checked /> $loop->name</label>";
else
echo "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' />$loop->name</label>";
}
?>RE: escaping output in CodeIgniter - june123 - 07-25-2017
Thanks Martin.
Worked like a charm
