Welcome Guest, Not a member yet? Register   Sign In
Redundant or Safer?
#1

[eluser]Jesse Schutt[/eluser]
Hello All,

I am collecting info from a form and posting it to my db using the following code. It occurred to me that the $post_data array that I have created might be redundant. Should I pass the _POST array to the model instead of writing my own $post_data array?

Code:
if ($this->validation->run() == FALSE)
        {
            $this->load->view('wt08/wt08_view');
        }                                
        else
        {
        
        $post_data = array(
            'first_name' => $this->input->post('first_name'),
            'last_name' => $this->input->post('last_name'),
            'gender' => $this->input->post('gender'),
            'address' => $this->input->post('address'),
            'city' => $this->input->post('city'),
            'state' => $this->input->post('state'),
            'zip' => $this->input->post('zip'),
            'camper_email' => $this->input->post('camper_email'),
            'birthdate' => $this->input->post('birthdate'),
            'age_at_time_of_camp' => $this->input->post('age_at_time_of_camp'),
            'first_time_camper' => $this->input->post('first_time_camper'),
            'father_guardian' => $this->input->post('father_guardian'),
            'mother_guardian' => $this->input->post('mother_guardian'),
            'home_phone' => $this->input->post('home_phone'),
            'cell_phone' => $this->input->post('cell_phone'),
            'parent_email' => $this->input->post('parent_email'),
            'church_group' => $this->input->post('church_group'),
            'buddy_1' => $this->input->post('buddy_1'),
            'buddy_2' => $this->input->post('buddy_2'),
            'payment_pref' => $this->input->post('payment_pref'),
            'payment_received' => '0',
            'timestamp' => date("Y-m-d-h-i-s"),
            'additional_notes' => $this->input->post('additional_notes', TRUE)
            );


            $this->load->model('wt08/wt08_model', '', TRUE);
            $this->wt08_model->add_participant($post_data);

In other words, is this better practice? Is it safe?

Code:
if ($this->validation->run() == FALSE)
        {
            $this->load->view('wt08/wt08_view');
        }                                
        else
        {
        
            $this->load->model('wt08/wt08_model', '', TRUE);
            $this->wt08_model->add_participant(_POST);

Thanks in advance!

Jesse
#2

[eluser]SitesByJoe[/eluser]
If there were values in your post that you didn't want to pass to the db or any additional information alterations needed you would certainly want to create a new array.

This would typically follow up a successful validation check.
#3

[eluser]Jesse Schutt[/eluser]
Thanks for the thoughts! That makes good sense.

Right now the POST array contains all the information I want to drop into a new record in the DB. Does Codeigniter sanitize the POST array? I read in the docs that the keys to the POST array are cleaned, but it doesn't mention anything else...

Thanks!
#4

[eluser]meigwilym[/eluser]
The POST array accessed through
Code:
$this->input->post('value');
is sanitized.

The $_POST is left untouched.

http://ellislab.com/codeigniter/user-gui...input.html

Mei
#5

[eluser]Jesse Schutt[/eluser]
Mei,

Thanks! Let me make sure I am understanding what you are saying...

Code:
$this->input->('whatever_input_name_from_my_form_here');

Is that right? If so, that is what I was doing in my very first example. I am wondering if I can pass the entire $_POST variable to the method safely.

Thanks for your input!

Jesse
#6

[eluser]JoostV[/eluser]
If you use
Code:
$this->validation->whatever_input_name_from_my_form_here;
The values will also be affected by validation rules you specify, such as trim|htmlspecialchars|xss_clean
This gives you more control over sanitizing input.

However, if you're going to use input, it's
Code:
$this->input->post('whatever_input_name_from_my_form_here');
instead of
Code:
$this->input->('whatever_input_name_from_my_form_here');

Finally, even if CI sanitizes a lot of your input, you should still always sanitize input. For instance, if you execute
Code:
$this->db->where('id', $id);
$this->db->delete('mytable');
and $id is empty by mistake, you will delete all records from your table.
#7

[eluser]Rick Jolly[/eluser]
One thing to note is that validation works directly on the $_POST array and alters it according to your validation rules.

I agree that you should specify the $_POST variables you want to pass to the model. You can automate the process a bit. I'd prep the values using validation and then create a helper to pass only the fields defined in validation to the model.




Theme © iAndrew 2016 - Forum software by © MyBB