CodeIgniter Forums
Input class - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Input class (/showthread.php?tid=8100)

Input class - El Forum - 05-05-2008

[eluser]omed habib[/eluser]
I understand that the input class gives me the ability to clean post data by each element in the form:

Code:
$this->input->post("username")

What about cleaning up an ENTIRE $_POST array at once to use the data somewhere?

Input class - El Forum - 05-05-2008

[eluser]Derek Allard[/eluser]
You'd want to turn on global XSS filtering in the config file omed.

Input class - El Forum - 05-06-2008

[eluser]omed habib[/eluser]
Thanks Derek. IF I do turn on global XSS filtering, could I simply do a:

Code:
$data = $_POST;

...and safely assume that all the POST data has already been filtered? Is there no way to manually do this (the docs say that turning global XSS on causes major overhead)?

Also, is XSS filtering all that is needed to ensure that the data is 'cleansed'?

Thanks!

Input class - El Forum - 05-06-2008

[eluser]Derek Allard[/eluser]
Quote:Thanks Derek. IF I do turn on global XSS filtering, could I simply do a:

Code:
$data = $_POST;
No, you'd still want to use the input class as you did above.

Quote:...and safely assume that all the POST data has already been filtered? Is there no way to manually do this
(the docs say that turning global XSS on causes major overhead)?
Actually, the docs say "a bit of processing overhead", but then later on, "fair amount" Smile I've never noticed much overhead, and I've always recommended to people to turn it on globally, but each developer needs to make that call. input->post() can accept an array if you want to feed it the whole post stream. In general, I'd encourage you to harvest each item individually if only to keep the code clear and obvious, but again, this is not always the "best" approach. Again, each developer needs to judge for themselves.

Quote:Also, is XSS filtering all that is needed to ensure that the data is 'cleansed'?

For the purposes of XSS, I'd say yes. For other things (SQL injection, mail injection, etc) then no.

Input class - El Forum - 05-06-2008

[eluser]omed habib[/eluser]
Derek, are you sure I can feed input->post() an array? When I try to:

Code:
$data = $this->input->post($_POST)

I get an error message, whereas

Code:
$name = this->post($_POST['name'])


works fine