Login

ciIsAwesome · 12-01-2018, 03:50 AM

Hi all,
First time using a PHP framework and I chose to go with CI Heart

. The documentation is awesome!
I'm a bit confused by the note on this page which says:

Quote:If you use any of the form helper functions listed on this page, the form values will be automatically escaped, so there is no need to call this function. Use it only if you are creating your own form elements.

What I thought it meant was if I'm using form helpers like form_input(), I don't have to manually do html_escape to the posted data from these fields. But I found out that this was not the case and the input wasn't html escaped.

Code:
<?=form_open('article/comment')?>

    <?=form_textarea('comment')?>

    <?=form_hidden('article',$article['id'])?>

    <?=form_submit('submit', 'Post comment.')?>

</form>

`echo $this->input->post('comment') ` in the controller returns unescaped html. It is also inserted into the database unescaped. I now use `html_escape($this->input->post())` instead of just `$this->input->post()` as a workaround. Is it the right way to do this? What does "form values will be automatically escaped" in the documentation actually mean?

Thanks in advance!