• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
HTML Escape on form helper

Oh, gotcha. html_escape is used when the data is shown from the db and not when it is inserted. All clear now, thanks!

(12-01-2018, 09:29 AM)jreklund Wrote: It means that you don't need to do:
PHP Code:
echo form_input(array(
'name'    => 'company_name',
'value'    => set_value('company_name',html_escape($company->name)),
'class' => 'form-control'

And do it like this:
PHP Code:
echo form_input(array(
'name'    => 'company_name',
'value'    => set_value('company_name',$company->name),
'class' => 'form-control'

$this->input->post don't escape anything, that should only be done on output. So if you are displaying it directly after submit, you need to escape it. If you are using form_validation and put a field as required and not writing anything in it, but write text in all other fields. form_input() will keep your data intact and escape it for you.

You should not use html_escape on anything you store in your database, but you can validate it with form_validation if you only want numbers. You should however use html_escape when you are displaying it from your database. So you aren't vulnerable to XSS.

Hope this will clear things up for you!

Messages In This Thread
HTML Escape on form helper - by ciIsAwesome - 12-01-2018, 03:50 AM
RE: HTML Escape on form helper - by jreklund - 12-01-2018, 09:29 AM
RE: HTML Escape on form helper - by ciIsAwesome - 12-01-2018, 11:18 AM

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.