Safe data from database

#1
[eluser]Jagar[/eluser]
Is there any way to return safe data from database in CI, I tried to insert something with quotes, it does insert properly using Mysql_real_escape_string function, but when getting back, the form does not display properly.

Thanks

#2
[eluser]janogarcia[/eluser]
Hi,

Have you tried using the Form helper to generate your form fields or alternatively the form_prep() function?

#3
[eluser]Thorpe Obazee[/eluser]
[quote author="Jagar" date="1242948503"]Is there any way to return safe data from database in CI, I tried to insert something with quotes, it does insert properly using Mysql_real_escape_string function, but when getting back, the form does not display properly.

Thanks[/quote]

how does it 'not display properly'?

#4
[eluser]Jagar[/eluser]
The site is on intranet, and not many people will be using it, but there are stupid people who will mess with it and will do anything to crash it.

I have a form(not used form helper), it adds certain data, so I was inserting the weirdest strings I could think of such as
Code:
[removed]
something like that, using the mysql_real_escape_string function it will only escape the double code. So I asking for a way to insert the data safely into the database which does it, and then retrieve it for display, I found htmlspecialchar function and htmlentities function which does the job, is there better way than using those functions in CI?

Thanks!

#5
[eluser]Jagar[/eluser]
I didn't know it would remove javascript, what I had is javascript tags with no close double quote

#6
[eluser]Jagar[/eluser]
I will try form_prep, and see how it goes.

#7
[eluser]Tom Schlick[/eluser]
google the htmlpurifier it has alot of options for escaping things and replacing with entities. it can easily be dropped in as a CI library.

#8
[eluser]Jagar[/eluser]
About the form prep, if I apply form_prep on results coming from database, and then load them into the form, for editing for example.

Is it going to change it back to normal html or it'll be saved as to what form_prep had changed to?


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.