Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter - escaping values before inserting in database - single quotes issue
#1

[eluser]Zigson[/eluser]
I am having issue with inserting value in database. Somehow my value gets wrapped by single quotes. Value is escaped just in order, though.

Sample of value: Test " ' test
Sample of value inserted in db: 'Test \" \' test'

I am using Active Record:

Code:
$data = array(
    'some_value' => $this->db->escape($this->input->post('some_value')),
    ...

$this->db->insert('some_table', $data);

Any help much appreciated.
#2

[eluser]InsiteFX[/eluser]
Try using htmlentities
#3

[eluser]Zigson[/eluser]
Just doing it like this? Is this safe enough against SQL injections?

Code:
htmlentities($this->input->post('some_value'))
#4

[eluser]CroNiX[/eluser]
Using active record automatically escapes the values, so manually doing it will actually do it twice which will mess it up like you are seeing. You only need to manually escape when NOT using AR and using manual queries like using $this->db->query(manual_query); The manual for DB states this over and over at the bottom of most AR methods.

https://ellislab.com/codeigniter/user-gu...ecord.html
Quote:Note: All values passed to this function are escaped automatically, producing safer queries.
#5

[eluser]Zigson[/eluser]
CroNiX, thank you for your reply.

I have tried to insert the value in database using just

Code:
$this->input->post('some_value')

Result in database is: Test ” ’ test

Do you find this safe? Shouldn't quotes be prepended with slash sign?
#6

[eluser]InsiteFX[/eluser]
Code:
$this->input->post('some_value', TRUE)

XSS_Filtering
#7

[eluser]Zigson[/eluser]
I already have XSS enabled by default in configuration.

Thank you for your patience. But still, this not resolves unescaped chars in my value, is it?
#8

[eluser]CroNiX[/eluser]
That's why you should use htmlentities before inserting the HTML to convert them to trivial chars. They are escaped in the db, you just don't see the \ before the ' or " in the db or when outputting because they have already been escaped.
#9

[eluser]Zigson[/eluser]
So, this would be the proper solution?

Code:
$data = array(
    'some_value'     => htmlentities($this->input->post('some_value')),

$this->db->insert($this->db->table, $data);

My inserted result in db is:
Code:
Test " ' test
#10

[eluser]Zigson[/eluser]
I have played a bit with queries which could perform SQL injection.

I would say that it is safe to code with query bindings or active record functions (not all of them, see the documentation) because they automatically escape values.

Nevertheless, my inserted value in database is:
Test ” ’ test

And the code:

Code:
$data = array(
    'some_value' => $this->input->post('some_value'),

$this->db->insert($this->db->table, $data);

I did not use htmlentities() or htmlspecialchars().




Theme © iAndrew 2016 - Forum software by © MyBB