Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Escaping form inputs
Escaping form inputs
  • El Forum
    Guest
  •  
#1
10-14-2009, 11:57 AM

[eluser]loonychune[/eluser]
I was just working through a form, escaping the values in the controller(!) because I wanted to reuse the variables.

So, I'm thinking of escaping the values something like this:

Code:
class Something extends Model {

  public $user;
  public $pass;

  function escape_values($user, $pass) {
    $this->user = $this->db->escape($user);
    $this->pass = $this->db->escape($pass);
  }

  function use_values() {
    //now i can always refer to the variables

    $query = $this->db->query("DELETE FROM table WHERE pass = {$this->pass}");
  }

}

This seems an efficient way to do things if i had say, 5 or 6 functions reusing the $user and $pass values... I don't want to have to escape the values in EVERY method.

What do you think???

I'm also curious about how to go FURTHER... i.e. MY_Controller pops up a lot in the forums and seems to be a way of implementing reusable functionality.

Appreciate your input...
  • El Forum
    Guest
  •  
#2
10-14-2009, 12:17 PM

[eluser]n0xie[/eluser]
Why not use active record? It will escape your queries automatically for you.
  • El Forum
    Guest
  •  
#3
10-14-2009, 10:27 PM

[eluser]loonychune[/eluser]
Guess I ought to, but i found myself setting the 2nd or 3rd parameter in select() and where() to FALSE sometimes, which kinda went against the ethos of using the active record class I think.
  • El Forum
    Guest
  •  
#4
10-15-2009, 02:15 AM

[eluser]n0xie[/eluser]
[quote author="loonychune" date="1255598844"]Guess I ought to, but i found myself setting the 2nd or 3rd parameter in select() and where() to FALSE sometimes, which kinda went against the ethos of using the active record class I think.[/quote]
Usually when you have a complex query that doesn't fit into the AR mould, it might be easier (and safer) to use prepared statements.

In your case:
Code:
function delete($pass)
{
    $sql = "DELETE FROM table WHERE pass = ?";
    $query = $this->db->query($sql, array($pass));
}

Also be extra careful when passing strings to a destructive query (UPDATE and DELETE) where the delimiter is NOT an integer. If you pass a boolean FALSE to it or an empty string / NULL you might end up deleting the whole content of the table. This is a mistake you don't want to ever have to explain.
  • El Forum
    Guest
  •  
#5
10-16-2009, 02:45 AM

[eluser]loonychune[/eluser]
Thank you, much appreciated.




Theme © iAndrew 2016 - Forum software by © MyBB