Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Best way to get validated form data into a database
Best way to get validated form data into a database
  • El Forum
    Guest
  •  
#1
11-07-2008, 12:58 AM

[eluser]McNoggin[/eluser]
I have only been using CI for a month or 2 so I'm still pretty new at it. I was working on some forms today and realized I was writing more or less the same code over and over.

My controllers almost always do the following:
1. setup the validation rules
2. run the validation
3. build an array from the post data
4. pass array it into a model ($this->db->insert( 'tableName', $valPostData ), etc)

I'd like to know if there is a way to skip step 3, or at least make it a single call instead of one line for each field. The form_validator already knows all of the fields I care about because I created rules for them in step 1. I'm not going to insert any data the user input into my database that hasn't been ran through the validator.

My thinking (assuming it doesn't already exist and I just don't know about it) is to extend the form_validator and add a function that does this. Not sure of the variable names but more or less it would do the following:

Code:
function getValidPostData()
{
  foreach($validation_rule as $rule)
  {
    $validPostData[ $rule['field'] ] = $this->input->post( $rule['field'] );
  }
  return $validPostData;
}
That way I could take the array that returns and pass it right into my CRUD model. Has anyone else done something similar? Or are there any reasons not to do this (security or other)?
  • El Forum
    Guest
  •  
#2
11-07-2008, 02:59 AM

[eluser]OES[/eluser]
If you are using 1.7 make the form fields as arrays.

ie.

<input type="input" name="myform[first_name]">
<input type="input" name="myform[last_name]">

Then after the form_validation run the data will be ready for collection. So you can pass your insert like.

$this->db->insert( ‘tableName’, $$this->input->post("myform"));

Hope this helps.
  • El Forum
    Guest
  •  
#3
11-07-2008, 08:31 AM

[eluser]McNoggin[/eluser]
Thanks, if that works it would be much easier then what I'm doing currently. My only concern about using that is that is it seems like a security risk. Say for example my users table has fields for id, name, group, email, birth_day, etc.

Now if I make a form that allows them to update their profile (email, bday, etc). If I did it the way you suggested wouldn't it be possible for an attacker to guess the data base columns and send an extra field along to change it. So for example the form may of only had a field for email address, but they added one for the group so now it would update their email address and allow them to be come admins, etc.

That was my reason for thinking about only getting fields that had validation rules.
  • El Forum
    Guest
  •  
#4
11-07-2008, 08:50 AM

[eluser]Pascal Kriete[/eluser]
You're right, you definitely want to filter what you're inserting. I use something similar to this (in an extended form validation class):
Code:
/**
* Filters allowed post keys
*
* @access    public
* @param     post data
* @return     cleaned array
*/
function filter_input_data($data)
{
    $allowed = $this->_field_data;
    return array_intersect_key($data, $allowed);
}

Then use it like this:
Code:
$db_clean = $this->validation->filter_input_data($_POST);

[Edit: PHP >= 5.1 only]
  • El Forum
    Guest
  •  
#5
11-07-2008, 09:16 AM

[eluser]OES[/eluser]
Yes Correct and as per what inparo has said.

I do something very simular, In the model I check for unwanted data et.

Good Luck




Theme © iAndrew 2016 - Forum software by © MyBB