Welcome Guest, Not a member yet? Register   Sign In
Redundant or Safer?

[eluser]Jesse Schutt[/eluser]
Hello All,

I am collecting info from a form and posting it to my db using the following code. It occurred to me that the $post_data array that I have created might be redundant. Should I pass the _POST array to the model instead of writing my own $post_data array?

if ($this->validation->run() == FALSE)
        $post_data = array(
            'first_name' => $this->input->post('first_name'),
            'last_name' => $this->input->post('last_name'),
            'gender' => $this->input->post('gender'),
            'address' => $this->input->post('address'),
            'city' => $this->input->post('city'),
            'state' => $this->input->post('state'),
            'zip' => $this->input->post('zip'),
            'camper_email' => $this->input->post('camper_email'),
            'birthdate' => $this->input->post('birthdate'),
            'age_at_time_of_camp' => $this->input->post('age_at_time_of_camp'),
            'first_time_camper' => $this->input->post('first_time_camper'),
            'father_guardian' => $this->input->post('father_guardian'),
            'mother_guardian' => $this->input->post('mother_guardian'),
            'home_phone' => $this->input->post('home_phone'),
            'cell_phone' => $this->input->post('cell_phone'),
            'parent_email' => $this->input->post('parent_email'),
            'church_group' => $this->input->post('church_group'),
            'buddy_1' => $this->input->post('buddy_1'),
            'buddy_2' => $this->input->post('buddy_2'),
            'payment_pref' => $this->input->post('payment_pref'),
            'payment_received' => '0',
            'timestamp' => date("Y-m-d-h-i-s"),
            'additional_notes' => $this->input->post('additional_notes', TRUE)

            $this->load->model('wt08/wt08_model', '', TRUE);

In other words, is this better practice? Is it safe?

if ($this->validation->run() == FALSE)
            $this->load->model('wt08/wt08_model', '', TRUE);

Thanks in advance!


If there were values in your post that you didn't want to pass to the db or any additional information alterations needed you would certainly want to create a new array.

This would typically follow up a successful validation check.

[eluser]Jesse Schutt[/eluser]
Thanks for the thoughts! That makes good sense.

Right now the POST array contains all the information I want to drop into a new record in the DB. Does Codeigniter sanitize the POST array? I read in the docs that the keys to the POST array are cleaned, but it doesn't mention anything else...


The POST array accessed through
is sanitized.

The $_POST is left untouched.



[eluser]Jesse Schutt[/eluser]

Thanks! Let me make sure I am understanding what you are saying...


Is that right? If so, that is what I was doing in my very first example. I am wondering if I can pass the entire $_POST variable to the method safely.

Thanks for your input!


If you use
The values will also be affected by validation rules you specify, such as trim|htmlspecialchars|xss_clean
This gives you more control over sanitizing input.

However, if you're going to use input, it's
instead of

Finally, even if CI sanitizes a lot of your input, you should still always sanitize input. For instance, if you execute
$this->db->where('id', $id);
and $id is empty by mistake, you will delete all records from your table.

[eluser]Rick Jolly[/eluser]
One thing to note is that validation works directly on the $_POST array and alters it according to your validation rules.

I agree that you should specify the $_POST variables you want to pass to the model. You can automate the process a bit. I'd prep the values using validation and then create a helper to pass only the fields defined in validation to the model.

Theme © iAndrew 2016 - Forum software by © MyBB