Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming is this stamenet true or false: if I use $this->form_validation->set_rules then I don't need to sanitise the input?
is this stamenet true or false: if I use $this->form_validation->set_rules then I don't need to sanitise the input?
  • El Forum
    Guest
  •  
#9
02-29-2012, 01:46 PM

[eluser]Refringe[/eluser]
I've wondered this in the past, so I did a little testing to find out exactly what's going on.

It turns out the post-validated value is only available in a callback if you pass the value to the callback as a parameter. If you try to access post data in a callback using the input class you will only retrieve pre-validated data.

However, once the validation has passed, the post-validated values are pushed back to the $_POST, so you can access them using the input class.

This, of course, sucks when you want to validate two inputs using one callback; like a login form, but then again, you're not storing any information using a login form, so it shouldn't matter. What you should be doing is taking the username and password as raw input and trying to select a match from your users table (using the Active Record Class). If there's no match, there's no login. You're not going to be storing or writing the username or password through a login callback, so this is all very unnecessary because even if there is an XSS exploit it's just going to be discarded.

Below is my test code and my results.

CONTROLLER:
Code:
public function index()
{
    $this->load->library('form_validation');
    $this->form_validation->set_rules('to_upper', 'to_upper', 'trim|required|strtoupper');
    $this->form_validation->set_rules('to_lower', 'to_lower', 'trim|required|strtolower|callback__cbtest');
    
    if ($this->form_validation->run() == FALSE)
    {
        $this->load->view('testing');
    }
    
    else
    {
        echo "After Validation - Should be uppercase:<br />";
        var_dump($this->input->post('to_upper'));
        
        echo "After Validation - Should be lowercase:<br />";
        var_dump($this->input->post('to_lower'));
        
        exit;
    }
}

public function _cbtest($to_lower)
{
    echo "Callback - Input Class - Should be uppercase:<br />";
    var_dump($this->input->post('to_upper'));
    
    echo "Callback - Input Class - Should be lowercase:<br />";
    var_dump($this->input->post('to_lower'));
    
    echo "Callback - Parameter - Should be lowercase:<br />";
    var_dump($to_lower);
    
    return true;
}

VIEW:
Code:
&lt;?php echo form_open('testing'); ?&gt;
    &lt;input type="text" name="to_upper" id="to_upper" value="Refringe" /&gt;
    &lt;input type="text" name="to_lower" id="to_lower" value="Refringe" /&gt;
    &lt;input type="submit" value="submit" /&gt;
&lt;/form&gt;

RESULT:
Code:
Callback - Input Class - Should be uppercase:
string 'Refringe' (length=8)

Callback - Input Class - Should be lowercase:
string 'Refringe' (length=8)

Callback - Parameter - Should be lowercase:
string 'refringe' (length=8)

After Validation - Should be uppercase:
string 'REFRINGE' (length=8)

After Validation - Should be lowercase:
string 'refringe' (length=8)


Messages In This Thread
is this stamenet true or false: if I use $this->form_validation->set_rules then I don't need to sanitise the input? - by El Forum - 02-29-2012, 01:46 PM



Theme © iAndrew 2016 - Forum software by © MyBB