Welcome Guest, Not a member yet? Register   Sign In
[SOLVED] Avoid POST data escaping
#1

(This post was last modified: 12-19-2014, 03:36 AM by _this.)

Hi CodeIgniters !

I need your help on a hard point for me here... Let me explain.

I run on a project which needs to store XML data in database, data is JS generated and AJAX saved to DB.

Here is the code :

Main Controller
PHP Code:
public function create()
{
 
   $this->layout->addJS("create_instruction");
 
   $this->layout->view("instructions/create"$this->data);
}

public function 
saveXML()
{
 
   $this->config->set_item('_disable_security''TRUE');
 
   $xml $this->input->post('xml');
 
   if(!empty($xml))
 
       return $this->instru->setXML("4""model"$xml);
 
   $this->config->set_item('_disable_security''FALSE');


Javascript
Code:
$(function() {
   $("#newQuestion").on("click", function() {
       // Volontary omitting code
       // Here is generated the XML to an HTML <pre>
   });
   $("#saveXML").on("click", function() {
       $("#pre").append("\n&lt;/instruction&gt;");
       xml = $("#pre").html();
       xml = xml.replace(/[\n\t]/g, "");
       xml = xml.replace("<br>", "");
       xml = $("<textarea/>").html(xml).text();
       //alert($("<textarea/>").html(xml).text());
       $.ajax({
           type: "POST",
           url: "<?php echo base_url('instructions/saveXML'); ?>",
           data: "xml=" + xml,
           success: function (resp) {
               alert(resp);
           }
       });
   });
});

Model
PHP Code:
public function setXML($id$type$value)
{
 
   if(!empty($value) && !empty($id))
 
   {
 
       if($type == "model")
 
           return $this->db->update("instruction", array("xml" => $value), array("id" => $id));
 
       else if($type == "values")
 
           return $this->db->update("instanceinstruction", array("xml" => $value), array("id" => $id));
 
       else
            return false
;
 
   }
 
   return false;


The problem is that I end with an XML formatted string like this one :

Code:
<?xml version='1.0' encoding='UTF-8'?><instruction><question id='1'><request><object type='text'>Question ?</object></request><response><object type='radio'><option value='1'>Yep</option><option value='2'>Nope</option></object></response></question></instruction>

And the result of the alert is obviously : "Disallowed Key Characters."

____________

From that consideration, I thought overriding the Input class would make it !

I tried to make a MY_Input class into my app/core folder, it looks like this for now :

PHP Code:
<?php if(!defined('BASEPATH')) exit('No direct script access allowed');

class 
MY_Input extends CI_Input
{
 
   protected $_disable_post_security FALSE;

 
   public function __construct()
 
   {
 
       parent::__construct();

 
       $this->_disable_post_security = (config_item('disable_post_security') === TRUE);
 
   }

 
   function _sanitize_globals()
 
   {
 
       // I kept the same code as in CI core, expect for the next part

 
       // Clean $_POST Data
 
       if($this->_disable_post_security == FALSE)
 
       {
 
           if (is_array($_POST) AND count($_POST) > 0)
 
           {
 
               foreach ($_POST as $key => $val)
 
               {
 
                   $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
 
               }
 
           }
 
       }
 
       else
        
{
 
           // Here should be my code but I don't know how to make it!
 
       }

 
       // I kept the same code as in CI core to the end of function
 
   }


Here I'm a little lost because I keep needing this POST array made, but without running the _clean_input_keys function ! So I don't know how to make it, that's the point...

If someone could help me, it would be really really nice Smile I know it'll make a security lack, but I tried to make it safiest as possible with the config value.
Reply
#2

You can first try to add this parameters to you jquery ajax call:

PHP Code:
contentType"text/xml",
dataType"xml"

Reply
#3

I cancelled my overide of Input class to get the POST data with native PHP $_POST["xml"], but I had still the same message "Disallowed Key Characters." ! So I checked DB classes but couldn't find this message in code.

The Controller is now like this :

PHP Code:
public function saveXML()
{
    
$xml $_POST['xml'] ? $_POST['xml'] : null;
    if(!
is_null($xml))
        return 
$this->instru->setXML("4""model"$xml);


@Rufnex : Thanks for your answer, I tried it but nothing happened so I added the error handler to AJAX and it's on error.

Here is the AJAX

Code:
$.ajax({
    type: "POST",
    url: "<?php echo base_url('instructions/saveXML'); ?>",
    data: "xml=" + xml,
    contentType: "text/xml",
    dataType: "xml",
    success: function (resp) {
        alert(resp);
    },
    error: function() {
        alert("error");
    }
});

I don't think I messed up with the model so I can't figure it out... I will continue to investigate.
Reply
#4

(This post was last modified: 12-19-2014, 03:35 AM by _this.)

Ok guys, I'm such a newbie...

I didn't looked at the response from AJAX but there were obvious errors !

It's now fixed Smile

Thanks Rufnex for your help getting me on the right way !
Reply
#5

Glad to help you Wink

Reply




Theme © iAndrew 2016 - Forum software by © MyBB