CodeIgniter Forums
Escaping issue with my code and/or database? - Printable Version

+- CodeIgniter Forums (
+-- Forum: Archived Discussions (
+--- Forum: Archived Development & Programming (
+--- Thread: Escaping issue with my code and/or database? (/thread-8274.html)

Escaping issue with my code and/or database? - El Forum - 05-12-2008

I've just started using CI a few days ago and have already managed to create a fairly robust database driven webapp, at least considering how new I am. Smile

So for my very first CI problem (how exciting!):

Inputting the title "X&Y" into my database results in "X&Y;".

If I type in "X&YY" it does the same, and I get "X&YY;".

So I managed to figure out that if I have no whitespace on either side of the ampersand, it will always add a semicolon to the end of the string. So, "X & Y" would turn out fine.

Also, if I type "X& amp ;Y" (remove the spaces) into my input field, it adds just fine as well.

So I assume CI tries to escape this by automatically ending a string with a semicolon if it contains an ampersand with no whitespace? How do I stop this behavior? Why isn't just converting ampersands to their HTML entities?

I apologize if this isn't even a CodeIgniter problem, and I do admit it's a pretty noobish question to be asking, but any help would be appreciated. Smile

Thank you.

EDIT: I actually had to jump through a hoop just to get this posting right!!! It was automatically adding the semi-colons to my first examples! To fake it I had to type out the HTML entities myself!

EDIT2: Try typing it out for yourself! I just had to edit this post 10 times to get it displaying correctly.

EDIT3: I guess this is now officially a bug report. CI should not be doing this to input.

Escaping issue with my code and/or database? - El Forum - 05-12-2008

[eluser]Pascal Kriete[/eluser]
Do you have global xss cleaning turned on or are you otherwise passing your data through that function? It adds the semicolons to make the filtering more robust.

Escaping issue with my code and/or database? - El Forum - 05-12-2008

Oh, I see. I'll have to check.

Robust, indeed. I'll have to weigh the benefits then.. I don't want my content displaying semi-colons for no good reason. (Because, like I said, why doesn't it instead store ampersands as their HTML entities in a database? That's the same as inserting random semi-colons.)

Any control over that specific function? I haven't delved much into the system folder, but I believe I may be able to change it by using a hook, or just by extending the library (if it is a library)?

Or is there some way to bypass it before running my UPDATE query? I think those characters SHOULD be stored as their HTML entities, and like I already said I'm not sure why they aren't..

Thanks for your reply.

Escaping issue with my code and/or database? - El Forum - 05-12-2008

[eluser]Pascal Kriete[/eluser]
It really depends on where it runs. Can you try just echoing the data where you would otherwise insert and check if it's already escaped. If it isn't I presume the easiest workaround would be:
$text = str_replace('&', '&', $text);

If it is already escaped, can you tell us how it's coming in? Also, check your application/config/config.php file for:
$config['global_xss_filtering'] = TRUE;

Escaping issue with my code and/or database? - El Forum - 05-13-2008

Well, I did turn XSS Filtering on, but I didn't think it would have such odd side effects. I think a str_replace is highly unnecessary as the Database class should be auto-escaping HTML entities to well.. HTML Entities. I mean, when you're inputting an ampersand into an input box, when is it NOT going to be displayed as HTML?

Can I extend the Database class to do this automatically? I'd still prefer to call this a "bug" though.


I did not type a single semi-colon by myself (see: above ^^), and it also removed the spaces between them. I think this is a pretty big issue..

Why aren't the CodeIgniter devs themselves escaping ampersands then on this board? Smile


Edit2: And regarding your example for str_replace, that wouldn't even work. What if the HTML entity (& amp ; - minus spaces) is already being typed in? Then you would get & amp ; amp ; (minus spaces) or something strange

Then I'd have to do a preg_replace for better precision, and that's much more intensive. Then the other option would be to use the PHP function to convert everything to HTML entities, and I still don't want to have to do that for all input before my UPDATE and INSERT queries.