• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
$this->input->xss_clean()

#1
[eluser]ganjasensation00[/eluser]
Is there any good practices on how and when to use $this->input->xss_clean(). Im developing a web-based inventory system right now. Any suggestions would be grateful. thanks.

#2
[eluser]pickupman[/eluser]
Most of the time you can run this on form validation. When you create form, use the form validation library. When creating fields like:
Code:
$this->form_validation->set_rules('field_name', 'field name', 'required|trim|xss_clean');

if($this->form_validation->run())
{
   $this->input->post('field_name'); //This already run thru xss_clean
}

You basically shouldn't trust user input. CI will strip any naughty stuff for you.

#3
[eluser]ganjasensation00[/eluser]
I'm using Smarty in managing my templates. And when I declare user inputs, I place it in the .tpl file. How can I implement the library form in Smarty?

#4
[eluser]WanWizard[/eluser]
Form validation is something you should do in your controller, after a form is posted. It is not relevant which template engine has generated the form.

#5
[eluser]ganjasensation00[/eluser]
Can you give me some tips in preventing sql injections? and the proper saving of information to the database.

#6
[eluser]WanWizard[/eluser]
You can enable xss_clean by default by setting 'global_xss_filtering' to true. If you don't want to do that use @pickupman's suggestion to clean on a field by field basis.

If you use CI's active record library, all data going into the database is escaped automatically.

#7
[eluser]happydude[/eluser]
And you can clean up data after it gets sent in by setting the second argument of $this->input->post() to TRUE.

e.g. if ($this->form_validation->run()) {

$username = $this->input->post('username', TRUE);

}


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.