Form post to DB with safe inputs

[eluser]RaZoR LeGaCy[/eluser]
I am unsure as how to properly make form variables safe to input into databases

How can I make this data safe to insert into the DB

Code:

$data = array(
               'rid' => ''.$_POST['rid'].'' ,
               'cat' => ''.$_POST['cat'].'' ,
               'c_author' => ''.$_POST['c_author'].'' ,
               'comment' => ''.$_POST['comment'].'' ,
               'c_score' => ''.$_POST['c_score'].'' ,
               'time' => ''.$_POST['time'].'' ,
               'ip' => ''.$_POST['ip'].''
            );

$this->db->insert('hellhorror_reviews_comments', $data);


redirect('movies/comments/'.$_POST['rid'].'/');

Thanx everyone,
I always get confused with this part.

[eluser]MattKern[/eluser]
This seems to be a pretty active debate here right now.

just do a search for mysql_real_escape_string on the forum here and you will get a lot of hits.

<edited>

[eluser]the real rlee[/eluser]
[quote author="RaZoR LeGaCy" date="1184659215"]I am unsure as how to properly make form variables safe to input into databases

How can I make this data safe to insert into the DB

Code:

$data = array(
               'rid' => ''.$_POST['rid'].'' ,
               'cat' => ''.$_POST['cat'].'' ,
               'c_author' => ''.$_POST['c_author'].'' ,
               'comment' => ''.$_POST['comment'].'' ,
               'c_score' => ''.$_POST['c_score'].'' ,
               'time' => ''.$_POST['time'].'' ,
               'ip' => ''.$_POST['ip'].''
            );

$this->db->insert('hellhorror_reviews_comments', $data);


redirect('movies/comments/'.$_POST['rid'].'/');

Thanx everyone,
I always get confused with this part.[/quote]


Sure, checkout CI's Validation Library in the User Guide for a more comprehensive way of validating your user input, OR just use the 2nd parameter of the post function set to TRUE $this->input->post('myval', TRUE); and CI will filter the input for commonly injected data. Anyway do checkout the User Guide

[eluser]RaZoR LeGaCy[/eluser]
I am still lost here but I tried anyway

My new controller has

Code:

$this->load->library('validation');
    
  $rules['comment'] = "required";
  
  $this->validation->set_rules($rules);
  

  if ($this->validation->run() == FALSE)
  {
   $this->load->view('movies/comments/'.$this->input->post('rid', TRUE).'/');
  }
  else
  {
  
$data = array(
      'rid' => $this->input->post('rid', TRUE) ,
      'cat' => ''.$_POST['cat'].'' ,
      'c_author' => ''.$_POST['c_author'].'' ,
      'comment' => $this->db->escape($this->input->post('comment', TRUE)) ,
      'c_score' => ''.$_POST['c_score'].'' ,
      'time' => ''.$_POST['time'].'' ,
      'ip' => ''.$_POST['ip'].''
   );

$this->db->insert('hellhorror_reviews_comments', $data);


redirect('movies/comments/'.$this->input->post('rid', TRUE).'/');

}

}

and the view has

Code:

<? $this->load->library('validation'); ?>

<?=$this->validation->error_string; ?>

<?=form_open('movies/submit_comment');?>

<?=form_hidden('c_author', getUserName());?>

<?=form_hidden('cat', '1');?>

<?=form_hidden('ip', $this->input->ip_address());?>

<?=form_hidden('rid', $this->uri->segment(3));?>

<?=form_hidden('time', mdate("%F %j, %Y"));?>

<table align="center"><tr valign="baseline"><td nowrap="nowrap" align="right">Username:</td>
<td><strong>&lt;?=getUserName()?&gt;</strong></td></tr>
<tr>
<td nowrap="nowrap" align="right">Score:<br />1 - 10</td>
<td>
&lt;? $options = array('1'=>'1', '2'=>'2', '3'=>'3', '4'=>'4', '5'=>'5', '6'=>'6', '7'=>'7', '8'=>'8', '9'=>'9', '10'=>'10',);
echo form_dropdown('c_score', $options, '5');?&gt;
1=Terrible and 5=Moderate and 10=Excellent</td></tr>
<tr>
<td nowrap="nowrap" align="right" valign="top">Comment:</td>
<td>&lt;? $data = array('name' => 'comment', 'id' => 'comment', 'cols' => '40', 'row' => '9',);
echo form_textarea($data);?&gt;</td>
</tr>
<tr valign="baseline">
<td colspan="2" align="center">

&lt;?=form_submit('submit', 'Submit Comment');?&gt;

</td></tr>
</table>
&lt;/form&gt;

1.)I want to put validation on the form so that the comment text area must be required and not left blank and must have a minimum of 40 characters.

2.)if the validation fails it must return on the same page with a error message.

3.)data must be securely inserted and escaped.

Please help me out here guys, I have been trying but to no avail.

I know I am missing some important steps or order but I keep getting lost on the security and validation part of CI.

Thanks in Advance

[eluser]Rwin[/eluser]
according to the manual..
"Note: All values are escaped automatically producing safer queries."

So I guess by using $this->db->insert('tablename',$_POST) is secure enough? Or I make the wrong impression?

[eluser]RaZoR LeGaCy[/eluser]
Thats exactly what confuses me

[eluser]Rick Jolly[/eluser]
[quote author="Rwin" date="1185120979"]
So I guess by using $this->db->insert('tablename',$_POST) is secure enough? Or I make the wrong impression?[/quote]

Active record will escape the data to protect the database from sql injection. However, if a user entered that data it could still be dangerous if you ever need to display it. So you should also validate and prep the data. Use xss_clean or html purifier to remove malicious code like javascript if you want to preserve html in the input. If you want to escape all html then use htmlspecialchars().

[eluser]Rwin[/eluser]
now im confuse... lol

If I use $this->db->insert(’tablename’,$_POST) , the only problem I have now is how to display it correctly rite? just use the htmlspecialchars then everything alrite... or I miss understood here?

[eluser]Rick Jolly[/eluser]
In most cases, yes. Just don't render any user input within javascript event handlers like onClick() since htmlspecialchars() won't help in that case.