escaping output in CodeIgniter

Filter Input, Escape Output.

After filtering input, I am using html_escape function to escape database output before displaying it in the browser.

$query = $this->db->query($sentstring); //returns list of users

$data['user'] = html_escape($query->result());

Now result() returns an array of objects and html_escape expects a string. So I am getting the error 

Message: htmlspecialchars() expects parameter 1 to be string, object given

Filename: core/Common.php

How do  resolve this issue? Also is my method of escaping output s proper way?

$query->result() is a object.

You need to do html_escape from within your foreach loop

Thanks Martin.

So I have  to do escaping like this for all the fields to be displayed:

<?php
foreach($user as $loop) 
{  ?>
        <tr>
                <td><?php echo html_escape($loop->name);?></td>
        </tr>

<?php     } ?>

It is one way of doing it.

You need the loop to display the list in your view anyway. So why not call html_escape from there

Assuming you have turned your object into an array it should work without looping if you wanted to do it in the controller.

Here is the function from common.php

PHP Code:

if ( ! function_exists('html_escape'))
{

    function html_escape($var, $double_encode = TRUE)
    {
        if (empty($var))
        {
            return $var;
        }

        if (is_array($var))
        {
            foreach (array_keys($var) as $key)
            {
                $var[$key] = html_escape($var[$key], $double_encode);
            }

            return $var;
        }

        return htmlspecialchars($var, ENT_QUOTES, config_item('charset'), $double_encode);
    }
} 


So you should be fine with:

PHP Code:

$data['user'] = html_escape($query->result_array()); 


Paul

PS Isn't that a beautifully coded function. I love learning how to code better from the CI Core...

Thanks Paul for your reply.

This way I can do the escaping in the controller itself.

$roles = $this->db->query($sql1, array($role_id));

$data['role'] = html_escape($roles->result_array());  

$this->load->view('edit_user',$data);

But I am displaying the form values in the view as fields of an object and hence I will have to change them as array fields.

For example:

<div class="form-inline input-group">
       <?php
foreach($role as $loop) 
{ ?>
<?php   
if(isset($CheckTask[$loop->id]))
echo  "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' checked />&nbsp; $loop->name &nbsp;</label>";
else
echo  "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' />&nbsp; $loop->name &nbsp;</label>";
}
?>
</div>

Using this code, I display a user's assigned roles. 

Now when I try to change object fields as array fields, I get syntax errors.

A quick fix for that

PHP Code:

$data['user'] = html_escape($query->result_array()); 


PHP Code:

foreach($role as $std) 
{
    $loop = (object)$std; // Cast as an object to convert the array
    if(isset($CheckTask[$loop->id]))
        echo "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' checked /> $loop->name</label>";
    else
        echo "<label class='checkbox inline'><input type='checkbox' name='role[]' value='$loop->id' />$loop->name</label>";
}
?>

Thanks Martin.

Worked like a charm