Login

08-13-2008, 02:52 AM

[eluser]xwero[/eluser]
[quote author="eilrahc" date="1218632735"] what's the use of validation->fieldname then? [/quote]
It does a form_prep to sanitize the string for display
[quote author="eilrahc" date="1218632735"]Isn't it considered "not safe" to use $_POST like this?[/quote]
Not safe means in this case, the string could possibly break the html, that is why the validation->fieldname uses a form_prep. But if you build your forms with form helper functions then the value gets form_prepped twice. So i rather like to decide when to form_prep a value.
[quote author="eilrahc" date="1218632735"]Couldn't you use input->post() instead? (I was lead to believe that input->post() always spat out "sanitized" strings.)[/quote]
If you enable xss_filtering then you are right about input->post returning sanitized strings. You can't use input->post because you can't define a default. But that is some good thinking by the EL developers. The default only is necessary in the views so a helper function is the best place for the solution.