Welcome Guest, Not a member yet? Register   Sign In
Validation prep_for_form
#1

[eluser]Aaron L.[/eluser]
Hello,

I am trying to submit my form to a function which validates my form before inserting it into the DB. In this function, I am attempting to use prep_for_form (documentation). The problem is, when I fill-in the form with something like "I'm", I still get an SQL error because the ' is there.

Here is my code:
Code:
$this->load->library('validation');

    //set the validation rules
    $rules['subject'] = "prep_for_form|required|xss_clean";
    $rules['message'] = "prep_for_form|required|xss_clean";
    $rules['to_nick'] = "trim|required|xss_clean";
            
    $this->validation->set_rules($rules);
            
    //set field names for validation error messages
    $fields['subject'] = 'Subject';
    $fields['message'] = 'Message';
    $fields['to_nick'] = 'To Nickname';

    $this->validation->set_fields($fields);
            
    if ($this->validation->run() == FALSE)
    {
        echo "Error";
    }
    else
    {  
                $this->db->query("INSERT INTO messages (subject, message) VALUES ('$subject','$message')");

                echo "SUCCESS!!";
    }

Do you know what's going on here? I'm stumped...

Aaron
#2

[eluser]Christopher Blankenship[/eluser]
htmlspecialchars? For converting the single quote.
Quote:Any native PHP function that accepts one parameter can be used as a rule, like htmlspecialchars, trim, MD5, etc.
from : http://www.ellislab.com/codeigniter/user...ation.html
#3

[eluser]coolfactor[/eluser]
I don't see where you're defining $subject and $message variables. Could that be part of the problem?
#4

[eluser]Rick Jolly[/eluser]
It is the job of the database library to escape sql.

Either use Active Record or query bindings and the sql will be escaped automatically.

Code:
// query bindings
$sql = "INSERT INTO messages (subject, message) VALUES (?,?)";
$this->db->query($sql, array($subject,$message));

// active record
$this->db->insert('messages', array('subject' => $subject, 'message' => $message));
#5

[eluser]Aaron L.[/eluser]
Thanks Rick! That is good to know. I've updated my code with an active record insert and it works fine. Thanks again!
#6

[eluser]Aaron L.[/eluser]
Also, thanks to everyone else for helping.




Theme © iAndrew 2016 - Forum software by © MyBB