Welcome Guest, Not a member yet? Register   Sign In
Questions about xss_clean
#1

[eluser]Kenny[/eluser]
Hello ,


I used to use mysql_real_escape_string() to escape input strings in my MySQL queries.

Since I have problems using this function with <textarea>s (because it is escaping new lines and shows \n\r even if my global xss filtering is set to false), I'd like to use the xss_clean function.

But I'd like to know what does xss_clean() really do. Because I tried to echo some xss_cleaned strings and it doesn't seem to do anything. Is it normal ?

Do I have to use it like this : load the security library first and $this->security->xss_clean($str); ?

Thank you.
#2

[eluser]MiniGod[/eluser]
mysql_real_escape_string() is not for xss.

Anyways, try using one of these: (look at the user guide: http://ellislab.com/codeigniter/user-gui...eries.html)
Code:
$this->db->escape();
$this->db->escape_str();
$this->db->escape_like_str();
#3

[eluser]Kenny[/eluser]
It seems to work pretty well. Do you advise me to change all mysql_real_escape_string by $this->db->escape() ?

And by the way is there a clean solution to convert \n to new lines in textareas ?

Thanks !




Theme © iAndrew 2016 - Forum software by © MyBB