+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: sanitize textarea input for database insertion - best practice (/showthread.php?tid=73947)
sanitize textarea input for database insertion - best practice - dbrooke - 06-26-2019
Hello,
I thought I'd start this thread after a pretty thorough effort of searching / reading.
My Situation
I have a simple textarea that users are copy/pasting blocks of "text" (mostly from MS Word) into.
This text can contain quite a lot of extended characters, such as eacute, right slanted apostrophe's, open and closing double quotes, semi-colons, etc.
This is admin protected and not public facing.
Right now I am simply:
1.) Applying form validation (using a custom alpha callback that allows these certain characters)
2.) using the input class
3.) using CI's insert.
I attempted to use CI's $this->db->escape(), but it was double escaping some things.. for example, inserting "\r\n" into the textarea fields (when updating), and adding starting / ending single quotes.
Anyway, what is 'Best Practice' for this type of situation? Should be doing any more sanitizing beyond my 3 steps above?
Thanks!,
Donovan
RE: sanitize textarea input for database insertion - best practice - php_rocs - 06-26-2019
@dbrooke,
Cutting and pasting from MSWord can be a pain to deal with. I'm getting the impression that that is what is to be expected. Any thoughts to filtering out the MSWord special characters? Any thoughts to using an WYSIWYG editor instead of a regular textarea? Also, CI has built in escaping which could cut down on any current issues you may be having. Also, are you willing to display the code that you are using to insert the copied text into the database?
RE: sanitize textarea input for database insertion - best practice - InsiteFX - 06-26-2019
You can try this one, there are others out there on the web.
PHP Code:
function cleanText(string $string) : string
{
$search = [
"\xC2\xAB", // « (U+00AB) in UTF-8
"\xC2\xBB", // » (U+00BB) in UTF-8
"\xE2\x80\x98", // ‘ (U+2018) in UTF-8
"\xE2\x80\x99", // ’ (U+2019) in UTF-8
"\xE2\x80\x9A", // ‚ (U+201A) in UTF-8
"\xE2\x80\x9B", // ‛ (U+201B) in UTF-8
"\xE2\x80\x9C", // “ (U+201C) in UTF-8
"\xE2\x80\x9D", // ” (U+201D) in UTF-8
"\xE2\x80\x9E", // „ (U+201E) in UTF-8
"\xE2\x80\x9F", // ‟ (U+201F) in UTF-8
"\xE2\x80\xB9", // ‹ (U+2039) in UTF-8
"\xE2\x80\xBA", // › (U+203A) in UTF-8
"\xE2\x80\x93", // – (U+2013) in UTF-8
"\xE2\x80\x94", // — (U+2014) in UTF-8
"\xE2\x80\xA6", // … (U+2026) in UTF-8
];
$replacements = [
"<<",
">>",
"'",
"'",
"'",
"'",
'"',
'"',
'"',
'"',
"<",
">",
"-",
"-",
"...",
];
return str_replace($search, $replacements, $string);
}
RE: sanitize textarea input for database insertion - best practice - dbrooke - 06-27-2019
Thx for the feedback. Below seems to work fairly well.
@InsiteFX.. I threw your code into my helper file. Thx.
So here is what I have:
Controller:
- Validate:
Code:
$this->form_validation->set_rules('f_text', 'Review Text', 'required|trim|callback_customAlphaTwo');Code:
public function customAlphaTwo($str)
{
if (!preg_match('/^[a-zA-Z0-9 .,\-\'\&\–\—\«\»\…\$\[\]\/\(\)\“\”\‘\’\!\;\:\é]*$/m', $str)) {
return FALSE;
} else {
return TRUE;
}
}Code:
$tCleanText = cleanText($this->input->post('f_text'));- Save Data
Code:
$aDataToSave = array(
'far_text' => $tCleanText,
// more stuff
)
$tinsert = $this->admindata->savedata($aDataToSave);Note: cleanText() is a helper
Model:
- Insert
Code:
// Save Data
public function savedata($tdata)
{
return $this->db->insert('db_table', $tdata);
}