A "User's Guide" to Jamie Rumbelow's MY_Model library

[eluser]theshiftexchange[/eluser]
Another idea I'm using - White_list your insert data (after form_validation) so you can just pass the $this->input->post() result and sleep easy at night.

Code:

class Fake_model extends MY_Model
{
public $before_create = array ('white_list_add');


         function __construct()
{
  parent::__construct();
}


// Make sure only the correct data is loaded
protected function white_list_add($post)
{
  // Get all the field names once, so we dont smash the database
  $fields = $this->db->list_fields($this->_table);

  // Go through all the Post data
  foreach ($post as $post_id => $value)
  {
   // Now check if the post is equilivant to a column in the table
   if ( ! in_array($post_id, $fields))
   {
    // If not, then unset it
    unset($post[$post_id]);
   }
  }

  // Also make sure the ID field is always removed on creation - the database should pick it and prevent a hacker from overriding someone elses record
  unset($post[$this->primary_key]);

  // And now manually set the user_ID - so even if someone tried to hack a new ID, we overwrite it regardless (for additional safety, if your validation did not check this - obviously alter this depending on your specific needs)
  $user= $this->ion_auth->user()->row();
  $post['users_id'] = $user->id;

  // Now return the cleaned data
  return $post;        
}
}