• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Validation prep_for_form

[eluser]Aaron L.[/eluser]

I am trying to submit my form to a function which validates my form before inserting it into the DB. In this function, I am attempting to use prep_for_form (documentation). The problem is, when I fill-in the form with something like "I'm", I still get an SQL error because the ' is there.

Here is my code:

    //set the validation rules
    $rules['subject'] = "prep_for_form|required|xss_clean";
    $rules['message'] = "prep_for_form|required|xss_clean";
    $rules['to_nick'] = "trim|required|xss_clean";
    //set field names for validation error messages
    $fields['subject'] = 'Subject';
    $fields['message'] = 'Message';
    $fields['to_nick'] = 'To Nickname';

    if ($this->validation->run() == FALSE)
        echo "Error";
                $this->db->query("INSERT INTO messages (subject, message) VALUES ('$subject','$message')");

                echo "SUCCESS!!";

Do you know what's going on here? I'm stumped...


[eluser]Christopher Blankenship[/eluser]
htmlspecialchars? For converting the single quote.
Quote:Any native PHP function that accepts one parameter can be used as a rule, like htmlspecialchars, trim, MD5, etc.
from : http://www.ellislab.com/codeigniter/user...ation.html

I don't see where you're defining $subject and $message variables. Could that be part of the problem?

[eluser]Rick Jolly[/eluser]
It is the job of the database library to escape sql.

Either use Active Record or query bindings and the sql will be escaped automatically.

// query bindings
$sql = "INSERT INTO messages (subject, message) VALUES (?,?)";
$this->db->query($sql, array($subject,$message));

// active record
$this->db->insert('messages', array('subject' => $subject, 'message' => $message));

[eluser]Aaron L.[/eluser]
Thanks Rick! That is good to know. I've updated my code with an active record insert and it works fine. Thanks again!

[eluser]Aaron L.[/eluser]
Also, thanks to everyone else for helping.

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.