Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion prep_for_form vs htmlentities
prep_for_form vs htmlentities
  • El Forum
    Guest
  •  
#1
05-14-2008, 02:52 AM

[eluser]veliscorin[/eluser]
Before i used codeigniter, i used to do a htmlentities for my entries into the database so that all chars become their html form inside the database. Now that i use the validation class for CI, do i still have to do it that way?

w/o doing any native php functions, the queries work as usual, but in the database its stored as "&" and "<" etc instead of & amp; and & lt;

In the first place, am i thinking the right way?
Hope you guys can advise me on my thinking

Cheers!
Velis
  • El Forum
    Guest
  •  
#2
05-14-2008, 07:21 AM

[eluser]Vince Stross[/eluser]
If you use the ci database class to construct your queries you shouldn't have any trouble. I have written an entire CMS system with CI and the only thing I use is form_prep() for output when doing something like this:

Code:
&lt;input type="text" ... value="&lt;?=form_prep($variable)?&gt;" /&gt;

In other words - IMHO it's an unnecessary precaution if you're using the active record query constructors, but otherwise you will need to handle this on your own - yes.

(along with XSS filtering, of course)
  • El Forum
    Guest
  •  
#3
05-14-2008, 10:24 AM

[eluser]Chris Newton[/eluser]
Just to clarify what Ishmael said the Active Record Class; http://ellislab.com/codeigniter/user-gui...ecord.html will sanitize your data for you.

Code:
Note: All values are escaped automatically producing safer queries.
  • El Forum
    Guest
  •  
#4
05-14-2008, 11:11 AM

[eluser]Vince Stross[/eluser]
well said Wink
  • El Forum
    Guest
  •  
#5
05-14-2008, 10:30 PM

[eluser]veliscorin[/eluser]
Thanks for the reply guys!
Thats the beauty of CI, handles all the sanitizing of the input to the database...

All along i thought the validation rule "prep_for_form" would have converted it into the html entities instead of the literally "&<>" etc chars..

So now, am i right to say that once u do a prep_for_form validation rule, when u display out the information in your views, u still have to run a form_prep() ? (If u didnt use any of the form helpers to generate the html that is)
  • El Forum
    Guest
  •  
#6
05-15-2008, 07:05 AM

[eluser]Vince Stross[/eluser]
good question - I've not used the prep_for_form rule ... let me know what you find!
  • El Forum
    Guest
  •  
#7
07-16-2009, 05:16 PM

[eluser]sszynrae[/eluser]
maybe this interests you:
1. enabling global xss filtering automatically runs converts html entities on insert.
2. html_entity_decode() reverses the effect so your html gets read.
3. whatever the validation rule does, it does not convert &<>




Theme © iAndrew 2016 - Forum software by © MyBB