Welcome Guest, Not a member yet? Register   Sign In
<, script and > inserted in DB
#1

[eluser]shinokada[/eluser]
I load helpers, form, url and database in a controller.

I have the following model.

Code:
function entertest(){

        $data = array(
            'title' => $this->input->post('title'),
            'embed' => $this->input->post('embed'),
          
        );
        $this->db->insert('video',$data);
     }

When I enter < and > with script tag, it is inserted in DB.

I was assuming CI will change < to & g t;, but it did not.

According to the CI user guide, it says When you use $this->db->insert();, Note: All values are escaped automatically producing safer queries.

I also used ", but it is in DB as it is.

What am I doing wrong here?

Thanks in advance.
#2

[eluser]techgnome[/eluser]
encoding < into &gt; isn't the same as escaping it. Might want to look up the XSS filtering in the Users Guide. I think that will take care of that.

-tg
#3

[eluser]shinokada[/eluser]
@techgnome: Yeap and thanks.

XSS changes &lt; script &gt; to removed and &lt; object &gt; to special characters.

I am wondering if CI has any class or helper to change html tags to special characters.

For example <h1> to &l t ; etc.

Or do I have to use htmlspecialchars?
#4

[eluser]techgnome[/eluser]
for some reason I was thinking the xss filtering would do that. My guess would be if there is a CI function, it would probably just be a wrapper for htmlspecialchars anyways, so odds are, probably not.

-tg




Theme © iAndrew 2016 - Forum software by © MyBB