[eluser]RaZoR LeGaCy[/eluser]
I am unsure as how to properly make form variables safe to input into databases
How can I make this data safe to insert into the DB
Code: $data = array(
'rid' => ''.$_POST['rid'].'' ,
'cat' => ''.$_POST['cat'].'' ,
'c_author' => ''.$_POST['c_author'].'' ,
'comment' => ''.$_POST['comment'].'' ,
'c_score' => ''.$_POST['c_score'].'' ,
'time' => ''.$_POST['time'].'' ,
'ip' => ''.$_POST['ip'].''
);
$this->db->insert('hellhorror_reviews_comments', $data);
redirect('movies/comments/'.$_POST['rid'].'/');
Thanx everyone,
I always get confused with this part.
[eluser]MattKern[/eluser]
This seems to be a pretty active debate here right now.
just do a search for mysql_real_escape_string on the forum here and you will get a lot of hits.
<edited>
[eluser]the real rlee[/eluser]
[quote author="RaZoR LeGaCy" date="1184659215"]I am unsure as how to properly make form variables safe to input into databases
How can I make this data safe to insert into the DB
Code: $data = array(
'rid' => ''.$_POST['rid'].'' ,
'cat' => ''.$_POST['cat'].'' ,
'c_author' => ''.$_POST['c_author'].'' ,
'comment' => ''.$_POST['comment'].'' ,
'c_score' => ''.$_POST['c_score'].'' ,
'time' => ''.$_POST['time'].'' ,
'ip' => ''.$_POST['ip'].''
);
$this->db->insert('hellhorror_reviews_comments', $data);
redirect('movies/comments/'.$_POST['rid'].'/');
Thanx everyone,
I always get confused with this part.[/quote]
Sure, checkout CI's Validation Library in the User Guide for a more comprehensive way of validating your user input, OR just use the 2nd parameter of the post function set to TRUE $this->input->post('myval', TRUE); and CI will filter the input for commonly injected data. Anyway do checkout the User Guide
[eluser]RaZoR LeGaCy[/eluser]
I am still lost here but I tried anyway
My new controller has
Code: $this->load->library('validation');
$rules['comment'] = "required";
$this->validation->set_rules($rules);
if ($this->validation->run() == FALSE)
{
$this->load->view('movies/comments/'.$this->input->post('rid', TRUE).'/');
}
else
{
$data = array(
'rid' => $this->input->post('rid', TRUE) ,
'cat' => ''.$_POST['cat'].'' ,
'c_author' => ''.$_POST['c_author'].'' ,
'comment' => $this->db->escape($this->input->post('comment', TRUE)) ,
'c_score' => ''.$_POST['c_score'].'' ,
'time' => ''.$_POST['time'].'' ,
'ip' => ''.$_POST['ip'].''
);
$this->db->insert('hellhorror_reviews_comments', $data);
redirect('movies/comments/'.$this->input->post('rid', TRUE).'/');
}
}
and the view has
Code: <? $this->load->library('validation'); ?>
<?=$this->validation->error_string; ?>
<?=form_open('movies/submit_comment');?>
<?=form_hidden('c_author', getUserName());?>
<?=form_hidden('cat', '1');?>
<?=form_hidden('ip', $this->input->ip_address());?>
<?=form_hidden('rid', $this->uri->segment(3));?>
<?=form_hidden('time', mdate("%F %j, %Y"));?>
<table align="center"><tr valign="baseline"><td nowrap="nowrap" align="right">Username:</td>
<td><strong><?=getUserName()?></strong></td></tr>
<tr>
<td nowrap="nowrap" align="right">Score:<br />1 - 10</td>
<td>
<? $options = array('1'=>'1', '2'=>'2', '3'=>'3', '4'=>'4', '5'=>'5', '6'=>'6', '7'=>'7', '8'=>'8', '9'=>'9', '10'=>'10',);
echo form_dropdown('c_score', $options, '5');?>
1=Terrible and 5=Moderate and 10=Excellent</td></tr>
<tr>
<td nowrap="nowrap" align="right" valign="top">Comment:</td>
<td><? $data = array('name' => 'comment', 'id' => 'comment', 'cols' => '40', 'row' => '9',);
echo form_textarea($data);?></td>
</tr>
<tr valign="baseline">
<td colspan="2" align="center">
<?=form_submit('submit', 'Submit Comment');?>
</td></tr>
</table>
</form>
1.)I want to put validation on the form so that the comment text area must be required and not left blank and must have a minimum of 40 characters.
2.)if the validation fails it must return on the same page with a error message.
3.)data must be securely inserted and escaped.
Please help me out here guys, I have been trying but to no avail.
I know I am missing some important steps or order but I keep getting lost on the security and validation part of CI.
Thanks in Advance
[eluser]Rwin[/eluser]
according to the manual..
"Note: All values are escaped automatically producing safer queries."
So I guess by using $this->db->insert('tablename',$_POST) is secure enough? Or I make the wrong impression?
[eluser]RaZoR LeGaCy[/eluser]
Thats exactly what confuses me
[eluser]Rick Jolly[/eluser]
[quote author="Rwin" date="1185120979"]
So I guess by using $this->db->insert('tablename',$_POST) is secure enough? Or I make the wrong impression?[/quote]
Active record will escape the data to protect the database from sql injection. However, if a user entered that data it could still be dangerous if you ever need to display it. So you should also validate and prep the data. Use xss_clean or html purifier to remove malicious code like javascript if you want to preserve html in the input. If you want to escape all html then use htmlspecialchars().
[eluser]Rwin[/eluser]
now im confuse... lol
If I use $this->db->insert(’tablename’,$_POST) , the only problem I have now is how to display it correctly rite? just use the htmlspecialchars then everything alrite... or I miss understood here?
[eluser]Rick Jolly[/eluser]
In most cases, yes. Just don't render any user input within javascript event handlers like onClick() since htmlspecialchars() won't help in that case.
|