prep_for_form vs htmlentities |
[eluser]veliscorin[/eluser]
Before i used codeigniter, i used to do a htmlentities for my entries into the database so that all chars become their html form inside the database. Now that i use the validation class for CI, do i still have to do it that way? w/o doing any native php functions, the queries work as usual, but in the database its stored as "&" and "<" etc instead of & amp; and & lt; In the first place, am i thinking the right way? Hope you guys can advise me on my thinking Cheers! Velis
[eluser]Vince Stross[/eluser]
If you use the ci database class to construct your queries you shouldn't have any trouble. I have written an entire CMS system with CI and the only thing I use is form_prep() for output when doing something like this: Code: <input type="text" ... value="<?=form_prep($variable)?>" /> In other words - IMHO it's an unnecessary precaution if you're using the active record query constructors, but otherwise you will need to handle this on your own - yes. (along with XSS filtering, of course)
[eluser]Chris Newton[/eluser]
Just to clarify what Ishmael said the Active Record Class; http://ellislab.com/codeigniter/user-gui...ecord.html will sanitize your data for you. Code: Note: All values are escaped automatically producing safer queries.
[eluser]veliscorin[/eluser]
Thanks for the reply guys! Thats the beauty of CI, handles all the sanitizing of the input to the database... All along i thought the validation rule "prep_for_form" would have converted it into the html entities instead of the literally "&<>" etc chars.. So now, am i right to say that once u do a prep_for_form validation rule, when u display out the information in your views, u still have to run a form_prep() ? (If u didnt use any of the form helpers to generate the html that is)
[eluser]Vince Stross[/eluser]
good question - I've not used the prep_for_form rule ... let me know what you find!
[eluser]sszynrae[/eluser]
maybe this interests you: 1. enabling global xss filtering automatically runs converts html entities on insert. 2. html_entity_decode() reverses the effect so your html gets read. 3. whatever the validation rule does, it does not convert &<> |
Welcome Guest, Not a member yet? Register Sign In |