Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Shouldn't ActiveRecord automatically be escaping data?
Shouldn't ActiveRecord automatically be escaping data?
  • El Forum
    Guest
  •  
#1
09-26-2010, 09:50 AM

[eluser]Marcus Hodges[/eluser]
Hey. I'm building my first CI-driven app (also my first OOP or MVC or ActiveRecord app) so please bear with me.

When I make a simple insert statement, my values aren't getting escaped. For example:

Code:
$book = array(
    'isbn' => $this->input->post('isbn'),
    'title' => mysql_real_escape_string($this->input->post('title')),
    'date' => $amazon->Items->Item->ItemAttributes->PublicationDate,
    'publisher' => mysql_real_escape_string($amazon->Items->Item->ItemAttributes->Publisher),
    'pages' => $amazon->Items->Item->ItemAttributes->NumberOfPages,
    'review' => mysql_real_escape_string($amazon->Items->Item->EditorialReviews->EditorialReview->Content),
    'image' => mysql_real_escape_string($amazon->Items->Item->LargeImage->URL),
    'thumb' => mysql_real_escape_string($amazon->Items->Item->SmallImage->URL),
    'filename' => $file['file_name']
);
$this->db->insert('books', $book);

I feel like I shouldn't have to put all of those redundant mysql_real_escape_string() functions in there, but the query fails without them. I've tried a couple things which say they automatically escape the data, but they don't work for me. The two things I tried were:

Code:
$sql = $this->db->insert_string('books', $book);
$this->db->query($sql);
// And...
$this->db->set($book);
$this->db->insert('books');

Likewise, this get_where statement also fails without the function attached to it.

Code:
$query = $this->db->get_where('authors', array('author' => mysql_real_escape_string($author)));

What am I missing?
  • El Forum
    Guest
  •  
#2
09-26-2010, 11:46 AM

[eluser]Sbioko[/eluser]
OMG, remove those mysql_real_escape_string =) Check your application/config/config.php. There should be
Code:
$config['global_xss_filtering'] = FALSE;
. Change it to TRUE. And, please, read user guide.
  • El Forum
    Guest
  •  
#3
09-26-2010, 12:25 PM

[eluser]Marcus Hodges[/eluser]
NEVER assume someone didn't try the manual first. It's annoying, frustrating, and insulting when you spend a day trying to find an answer and break down and ask the 'community' for a solution and that's the best they can come up with.

I can't set XSS filtering on this project. It's for technical ebooks and 'JavaScript' is a pattern that comes up often in titles and tags. XSS filtering removes that pattern from all strings and I need that pattern.

My question is about escaping data. When I use the ActiveRecord methods for getting and inserting data, it does not escape the data. Quotes are absent, so the query fails unless I use mysql_real_escape_data() or hard-set quotes around the variables like so:

Code:
$query = $this->db->get_where('authors', array('author' => "'" . $author . "'"));

Neither are ideal and I figure there's got to be a better way.
  • El Forum
    Guest
  •  
#4
09-26-2010, 12:43 PM

[eluser]Sbioko[/eluser]
Ok, excuse me, I fully understand you. I said it, because it looks like you did not read manual.
So, you could copy xss_clean functionality with 'javascript' filter removal and extend database or your class to use your custom xss_clean. But, I think there is better way to do it.




Theme © iAndrew 2016 - Forum software by © MyBB