My Comments form security

[eluser]Leftfield[/eluser]
Hello, i Have a comments form, but i cant to secure it ...

My Controller

Code:

function comments_insert() {
        $CI = &get;_instance();
        $title = $CI->config->item('site_title');
        $data['title'] = $title;
        $data['date'] = date('Y:m:d');
        $data['pages'] = $this->Content->get_pages();
        $data['links'] = $this->Content->get_links();
        $data['copyright'] = $CI->config->item('copyright');
      
        $page_author = $_POST['author'];
        $page_text = $_POST['text'];

        if ($page_author && $page_text !== '' && $this->alcaptcha->check($this->input->post('captchacode')) ) {
            $this->Content->comments_insert();// Insert method

        }

        redirect('blog/comments/' . $_POST['entry_id']);

    }

Insert method:

Code:

function comments_insert() {
     $this->db->insert('comments', $_POST);
    }

if i do

Code:

$this->db->insert('comments', strip_tags ($_POST));

nothing happens

Plz. how to

strip_tags

for

Code:

$page_author = $_POST['author'];

field?
Thank you

[eluser]Mr. Pickle[/eluser]
You can't strip_tags() an array but you can do:

Code:

$page_author = strip_tags($_POST['author']);

But if you wan't to secure for database use the CI style:

Code:

$page_author = $this->input->post('author');

[eluser]InsiteFX[/eluser]
Why not use codeigniter?

Code:

// TRUE - tell's it use xss_clean.
$this->input->post('some_data', TRUE);

InsiteFX

[eluser]Leftfield[/eluser]
[quote author="InsiteFX" date="1285018471"]Why not use codeigniter?

Code:

// TRUE - tell's it use xss_clean.
$this->input->post('some_data', TRUE);

InsiteFX[/quote]

Code:

'author'=>$this->input->post('author',TRUE)

or

Code:

'author'=>strip_tags($_POST('author'))

I have

< a href="/">Not full cuted

, i don uderstand what' wrong, STRIP_TAGS DOES NOT WORK CORRECTLY...

[eluser]Mr. Pickle[/eluser]
strip_tags is different than the xss clean build into CI.

Why not combine?

Code:

'author'=> strip_tags($this->input->post('author'))

[eluser]Leftfield[/eluser]
[quote author="Mr. Pickle" date="1285021802"]strip_tags is different than the xss clean build into CI.

Why not combine?

Code:

'author'=> strip_tags($this->input->post('author'))

[/quote]
i HAVE a not completely cut string< a href="/">XSS

[eluser]InsiteFX[/eluser]

Code:

// this is WRONG!
$CI = &get;_instance();

// should be:
$CI =& get_instance();

InsiteFX

[eluser]Leftfield[/eluser]
[quote author="InsiteFX" date="1285052623"]

Code:

// this is WRONG!
$CI = &get;_instance();

// should be:
$CI =& get_instance();

InsiteFX[/quote]
its mistake only after posting here in WYSYWYG ! Real Code

Code:

function comments_insert() {
        
        $CI = &get;_instance();
        $title = $CI->config->item('site_title');
        $data['title'] = $title;
        $data['date'] = date('Y:m:d');
        $data['pages'] = $this->Content->get_pages();
        $data['links'] = $this->Content->get_links();
        $data['copyright'] = $CI->config->item('copyright');

        $page_author = $_POST['author'];
        $page_text = $_POST['text'];
      
        if ($page_author && $page_text !== '' && $this->alcaptcha->check($this->input->post('captchacode')) ) {
            // $this->Content->comments_insert();
            $data = array('entry_id' => 53,
                    'text'=>$page_text, 'author'=> strip_tags(trim($this->input->post('author')))  ,
                    'captchacode'=>$this->input->post('captchacode'), 'date'=>  $data['date']
            );
            $this->db->insert('comments', $data);

        }

        redirect('blog/comments/' . $_POST['entry_id']);

    }

Code:

'author'=> strip_tags(trim($this->input->post('author')))

make :

< a href="/">XSS

Ie cut tags with only the right side and the left leaves

[eluser]InsiteFX[/eluser]

Code:

string strip_tags ( string $str [, string $allowable_tags ] )

<?php
echo strip_tags("Hello <b><i>world!</i></b>","<b>");
?&gt;

InsiteFX