Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Forms, loading data and updating database..
Forms, loading data and updating database..
  • El Forum
    Guest
  •  
#1
11-11-2008, 03:22 AM

[eluser]julgus[/eluser]
With the code I fetch some data
Code:
$query = $this->db->query("select * from atable where id={$this->session->userdata('partner_id')}");
    if ($query->num_rows() > 0)
            $partner_info=$query->row_array();

I then call a view

Code:
if ($this->form_validation->run() == FALSE)
        {
            $this->load->view('aview',$partner_info);
        }
        else
        {
            $sqlstr=$_POST;
            unset($sqlstr['id']);
            $str = $this->db->update_string('atable', $sqlstr, "id={$this->session->userdata('partner_id')}");
            
            echo $str;
            
            //$this->db->query($str);
            //redirect('/partner');
        }

I want to use the update_string and therefore I use the $_POST array which I cleans from unwanted elements using the unset function. Is this a proper way of doing things or?

Furthermore I tried to use the set_value function in my form after passing the above query result. This didn't work - the function didn't return any data. Is it supposed to work like this?

Regards
Johan
  • El Forum
    Guest
  •  
#2
11-12-2008, 04:26 PM

[eluser]lmv4321[/eluser]
It is very unsafe to insert data into your tables straight from the $_POST array (see XSS attacks). You should use the $this->input->post() function which makes sure the data is defined and clean. See http://ellislab.com/codeigniter/user-gui...input.html for more details.

So, to use:
Code:
if ($this->form_validation->run() == FALSE)
        {
            $this->load->view('aview',$partner_info);
        }
        else
        {
            // assumes fields of name, address, city, state, zip
            // replace with your field names
            $sqlstr = array(
               'name'    => $this->input->post('name', TRUE),
               'address' => $this->input->post('address', TRUE),
               'city'    => $this->input->post('city', TRUE),
               'state'   => $this->input->post('state', TRUE),
               'zip'     => $this->input->post('zip', TRUE),
            );
            $str = $this->db->update_string('atable', $sqlstr, "id={$this->session->userdata('partner_id')}");
            
            echo $str;
            
            //$this->db->query($str);
            //redirect('/partner');
        }




Theme © iAndrew 2016 - Forum software by © MyBB