Welcome Guest, Not a member yet? Register   Sign In
<, script and > inserted in DB

I load helpers, form, url and database in a controller.

I have the following model.

function entertest(){

        $data = array(
            'title' => $this->input->post('title'),
            'embed' => $this->input->post('embed'),

When I enter < and > with script tag, it is inserted in DB.

I was assuming CI will change < to & g t;, but it did not.

According to the CI user guide, it says When you use $this->db->insert();, Note: All values are escaped automatically producing safer queries.

I also used ", but it is in DB as it is.

What am I doing wrong here?

Thanks in advance.

encoding < into &gt; isn't the same as escaping it. Might want to look up the XSS filtering in the Users Guide. I think that will take care of that.


@techgnome: Yeap and thanks.

XSS changes &lt; script &gt; to removed and &lt; object &gt; to special characters.

I am wondering if CI has any class or helper to change html tags to special characters.

For example <h1> to &l t ; etc.

Or do I have to use htmlspecialchars?

for some reason I was thinking the xss filtering would do that. My guess would be if there is a CI function, it would probably just be a wrapper for htmlspecialchars anyways, so odds are, probably not.


Theme © iAndrew 2016 - Forum software by © MyBB