Is htmlspecialchars & mysql_real_escape_string necessary with the input class ?

[eluser]pyrokinesis[/eluser]
Hi everyone,

I'm wondering are the 'htmlspecialchars' & 'mysql_real_escape_string' functions necessary (post input into DB) when using the CI input class or will the input class do it all for me already?

Code:

$data = ci()->input->post($element);
if(!empty($data))
{
  $data = htmlspecialchars($data);
  $data = mysql_real_escape_string($data);
  return $data;
}

Thanks

[eluser]toopay[/eluser]
If you use $this->input or AR, yes.

[eluser]pyrokinesis[/eluser]
Hey toopay,

Thanks for the reply... Yup they are necessary or nope I don't need the htmlspecialchars/realecsapemysql functions if I use AR & the Input class?

Thanks :coolsmile:

[eluser]osci[/eluser]
nope

[eluser]pyrokinesis[/eluser]
Danke

[eluser]InsiteFX[/eluser]
If you use:

Code:

$this->input->post('some_data');

// you need to use the second parameter for protection if global XSS Filtering is not used!
$this->input->post('some_data', TRUE);

Read this!

Input Class

InsiteFX

[eluser]toopay[/eluser]
Let me repeat. If you use $this->input(and set TRUE to second parameter) or AR(CI ActiveRecord), yes the input class and the AR do it all for you already.

[eluser]pyrokinesis[/eluser]
Thanks for the replies guys, never can be 2 sure