+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: prep_for_form vs htmlentities (/showthread.php?tid=8325)
prep_for_form vs htmlentities - El Forum - 05-14-2008
[eluser]veliscorin[/eluser]
Before i used codeigniter, i used to do a htmlentities for my entries into the database so that all chars become their html form inside the database. Now that i use the validation class for CI, do i still have to do it that way?
w/o doing any native php functions, the queries work as usual, but in the database its stored as "&" and "<" etc instead of & amp; and & lt;
In the first place, am i thinking the right way?
Hope you guys can advise me on my thinking
Cheers!
Velis
prep_for_form vs htmlentities - El Forum - 05-14-2008
[eluser]Vince Stross[/eluser]
If you use the ci database class to construct your queries you shouldn't have any trouble. I have written an entire CMS system with CI and the only thing I use is form_prep() for output when doing something like this:
Code:
<input type="text" ... value="<?=form_prep($variable)?>" />In other words - IMHO it's an unnecessary precaution if you're using the active record query constructors, but otherwise you will need to handle this on your own - yes.
(along with XSS filtering, of course)
prep_for_form vs htmlentities - El Forum - 05-14-2008
[eluser]Chris Newton[/eluser]
Just to clarify what Ishmael said the Active Record Class; http://ellislab.com/codeigniter/user-guide/database/active_record.html will sanitize your data for you.
Code:
Note: All values are escaped automatically producing safer queries.prep_for_form vs htmlentities - El Forum - 05-14-2008
[eluser]Vince Stross[/eluser]
well said
prep_for_form vs htmlentities - El Forum - 05-14-2008
[eluser]veliscorin[/eluser]
Thanks for the reply guys!
Thats the beauty of CI, handles all the sanitizing of the input to the database...
All along i thought the validation rule "prep_for_form" would have converted it into the html entities instead of the literally "&<>" etc chars..
So now, am i right to say that once u do a prep_for_form validation rule, when u display out the information in your views, u still have to run a form_prep() ? (If u didnt use any of the form helpers to generate the html that is)
prep_for_form vs htmlentities - El Forum - 05-15-2008
[eluser]Vince Stross[/eluser]
good question - I've not used the prep_for_form rule ... let me know what you find!
prep_for_form vs htmlentities - El Forum - 07-16-2009
[eluser]sszynrae[/eluser]
maybe this interests you:
1. enabling global xss filtering automatically runs converts html entities on insert.
2. html_entity_decode() reverses the effect so your html gets read.
3. whatever the validation rule does, it does not convert &<>