Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming CI2: data validation before inserting it in DB
CI2: data validation before inserting it in DB
  • El Forum
    Guest
  •  
#1
07-24-2010, 05:03 PM

[eluser]diostm[/eluser]
Hello, I'm just get started with CI(CI2) and i created simple newsletter-webapp.

But i'm not sure about my validation:
Code:
$this->form_validation->set_rules(
            array(
                array(
                    "field" => "title",
                    "label" => "Title",
                    "rules" => "required|xss_clean"
                ),
                array(
                    "field" => "body",
                    "label" => "News body",
                    "rules" => "required|xss_clean"
                ),
                array(
                    "field" => "body_extra",
                    "label" => "Body extra",
                    "rules" => "xss_clean"
                ),
                array(
                    "field" => "author_login",
                    "label" => "Authors login",
                    "rules" => "required|xss_clean"
                )
            )
        );
        $_POST['id'] = 0;
        $_POST['author_id'] = 0;    //disable this in future
        $_POST['mtime'] = date("Y-m-d H:i:s", 3601 );
        $this->form_validation->set_error_delimiters('<p class="error">', '</p>');
        
        if (!$this->form_validation->run())    {
            $this->data['title'] = "News: Add (errors)";
            $this->load->view('news_add', $this->data);
        }
        else    {
            $this->data['title'] = "News: new post inserted";
            $this->load->view('news_inserted', $this->data);
            $this->db->insert('news', $_POST);
        }

Web form, from which i sent data:
Code:
&lt;?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');?&gt;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
    "http://www.w3.org/TR/html4/strict.dtd">
&lt;html&gt;
&lt;head&gt;
    &lt;meta http-equiv="Content-type" content="text/html; charset=utf-8" /&gt;
    &lt;title&gt;&lt;?=$title?&gt;&lt;/title&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;?=validation_errors()?&gt;
&lt;?php

echo "<p>",
    form_open('news/insert', array('class' => 'email', 'id' => 'myform')), "</p>",
    "<p>", form_input(array(
        "name" => "title",
        "value" => set_value("title", "Title")
    )), "</p>",
    "<p>",form_textarea(array(
        "name" => "body",
        "value" => set_value("body","News Body")
    )), "</p>",
    "<p>",form_textarea(array(
        "name" => "body_extra",
        "value" => set_value("body_extra","Extra body")
    )), "</p>",
    "<p>", form_input(array(
        "name" => "author_login",
        "value" => set_value("author_login","Author")
    )), "</p>",
    "<p>",form_submit(array(
        "value"=>"Submit"
    )), "</p>",
    form_close();

?&gt;
&lt;/body&gt;
&lt;/html&gt;

Table description in database:
Code:
CREATE TABLE  `cms`.`news` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `title` tinytext NOT NULL,
  `body` text NOT NULL,
  `body_extra` text NOT NULL,
  `ctime` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT 'creation time',
  `mtime` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT 'modification time',
  `author_id` int(11) NOT NULL,
  `author_login` tinytext NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=64 DEFAULT CHARSET=latin1
----------------
Do i forgot something to check?
  • El Forum
    Guest
  •  
#2
07-24-2010, 07:10 PM

[eluser]pickupman[/eluser]
What if you change:
Code:
$this->load->view('news_inserted', $this->data);
$this->db->insert('news', $_POST);

To
Code:
$this->db->insert('news', $_POST);
$this->load->view('news_inserted', $this->data);

You may find it useful to do a
Code:
foreach($_POST as $key => $value){
  $this->db->set($key, $value);
}
$this->db->insert('news');

As a bonus add this to your controller constructor
Code:
$this->output->enable_profiler(TRUE); // get all the CI goodness
  • El Forum
    Guest
  •  
#3
07-25-2010, 01:47 AM

[eluser]diostm[/eluser]
Hm, thanks, but i mean, is it enough to control with a xss_clean function those params before inserting it in DB.

Will it be enough when i want to get some data from DB (selecting it) or there have to be some more extra validations(for example with mysql_real_esacpe_string or with its wrapper in CI $this->db->escape() or $this->db->escape_str()) ?
  • El Forum
    Guest
  •  
#4
07-25-2010, 10:37 AM

[eluser]pickupman[/eluser]
Well, with any app, you don't want to assume a user is feeding you something naughty. Basically any input that you can't typecast like bool or int, you will want to run through xss_clean. The $this->db->set() will make your queries safe.

If you you the active record syntax for doing your queries, CI will take care of the security stuff for you.




Theme © iAndrew 2016 - Forum software by © MyBB