Doesn't active record sanitize input anymore?

[eluser]FinalFrag[/eluser]
I have a textfield on a form.
When I click submit, I retrieve the information in my controller using

Code:

$this->input->post('textfield');

Then I use a model (with active record) to store the input in a database.

My problem is: when I enter

Code:

<b>hello</b><i>world</i>

in the textfield... it doesn't get escaped...

Did they remove the auto-escape feature from CI in 1.7 or am I doing something else wrong?

Thnx

[eluser]Armchair Samurai[/eluser]
Active record sanitizes for SQL injection only AFAIK. Simple HTML tags like that don't qualify.

[eluser]FinalFrag[/eluser]
If I enter

Code:

' this " is < some > text '

it gets inserted just like that... while SQL injection protection should make the ' into \' for example

[eluser]Armchair Samurai[/eluser]
I just ran a few variations of that string and AR escaped them each time with no trouble. Odd that you're having trouble.

Can you post your code for others to take a look at?

[eluser]FinalFrag[/eluser]
I now have the following code in my model

Code:

$name = "this should <b>get</b> ' escaped";

$this->db->set('userId', $userId);
$this->db->set('name', $name);
$this->db->insert('todoLists');

When I execute that, it just gets put in the database like that... unescaped.
So the problem seems to be located in the model :S

[eluser]FinalFrag[/eluser]
I have made a new controller and model, just to test this. I will share the code with you, maybe this helps you guys to solve my problem.

Controller: todoManagement.php

Code:

<?php
class TodoManagement extends Controller {
function TodoManagement()
{
    parent::Controller();
    $this->load->model('Testmodel');
}

function index()
{
    // Write something to the testmodel
    $this->Testmodel->write("' this should <b>get</b> ' filtered '");
}
}

Model: testmodel.php

Code:

<?php
class Testmodel extends Model {
function Testmodel()
{
    // Call the Model constructor
    parent::Model();
}

function write($string)
{
    $this->db->set('userId', 1);
    $this->db->set('name', $string);
    $this->db->insert('finalfrag_todoLists');
}
}

When I execute this code by visiting www.myurl.com/todoManagement the following gets put in the database:

Code:

1
' this should <b>get</b> ' filtered '

But that's not what I want to written to the database (for SQL injection reasons). What I want is

Code:

1
\' this should <b>get</b> \' filtered \'

My test code was done on the same CI install as my previous posts... I will go and test it on a different install...

If you can spot my mistake... please help me...

[eluser]m4rw3r[/eluser]
Check the query in the profiler, if it is escaped there then all is good.

When you fetch the data from db it won't be escaped because you don't want to have all those backslashes.

[eluser]FinalFrag[/eluser]
I'm not fetching it from the database, I was actually looking at it in phpMyAdmin.
I'll try the profiler thing.

[eluser]FinalFrag[/eluser]
Guess I was being worried over nothing. The profiler revealed:

Code:

INSERT INTO `finalfrag_todoLists` (`userId`, `name`) VALUES (1, '\' this should <b>get</b> \' filtered \')

Although I have 1 more minor question about this. It opens the 'name' in the query with a single quote, but it is never closed... Could someone tell me if this is an error still or just normal behaviour...

[eluser]FinalFrag[/eluser]
Oh, that seems to be a bug in the profiler...
When I copy that query and paste it into phpMyAdmin, it doesn't work...