Formatting the POST array to an SQL insert\update string in codeigniter 2

[eluser]amosmos[/eluser]
Hi,

I'm trying to automate form creation and submission in codeigniter.

Basically what I want is to find a way to go over all the data in the POST array and format it correctly to an insert or update sql query.

The problem is I don't know how to access to whole POST array in CI, all I know of is the $this->input->post(field_name) way which only gives you a specific field.

Ideally I would want to send the POST array to the $this->db->insert_string() or $this->db->update_string() to do the job for me.

I know I can still use the php native $_POST array, but this is not recommended and not as secure as CI's input class.

Anyone know a way to do this?

Thanks, Amos

[eluser]WanWizard[/eluser]
$this->input->post() just returns a value from $_POST (if you don't explicitly request to clean it), so if you have global XSS clean enabled, you can just use $_POST.

If you want the option to return the entire array, you can use my Input library extension:

Code:

class MY_Input extends Input
{
    /**
    * Fetch from array
    *
    * This is a helper function to retrieve values from global arrays
    *
    * @access    private
    * @param    array
    * @param    string
    * @param    bool
    * @return    string
    */
    function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE)
    {
        if ( empty($index) )
        {
            if ( $xss_clean === TRUE )
            {
                $cleaned = array();
                foreach($array as $key => $value)
                {
                    $cleaned[$key] = $this->xss_clean($value);
                }
                return $cleaned;
            }
            else
            {
                return $array;
            }
        }
        else
        {
            if ( ! isset($array[$index]))
            {
                return FALSE;
            }

            if ($xss_clean === TRUE)
            {
                return $this->xss_clean($array[$index]);
            }

            return $array[$index];
        }
    }
}

[eluser]amosmos[/eluser]
I don't get it, if I don't use XSS cleaning, $this->input->post(something) is EXACTLY the same is $_POST[something] ??

[eluser]amosmos[/eluser]
The user guide says the the input class filters the POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters and standardizes newline characters to \n... I'm not 100% sure how serious that is but it sounds important, no?

[eluser]WanWizard[/eluser]
Yes.

If you use global XSS cleaning in your config, $_POST contains the cleaned values, and it is safe to use $_POST. (if you do you have to make sure nobody changes your config setting!). If you don't, you need to use the XSS_clean parameter of $this->input->post.

There are two options:
- use my Input library extension that allows you to use $this->input->post(FALSE, TRUE) which returns the entire $_POST array, cleaned.
- code it manually:

Code:

// manually clean all post values
foreach( $_POST as $key => $value )
{
    $_POST[$key] = $this->input->post($key, TRUE);
}
// you can now use $_POST here...

[eluser]amosmos[/eluser]
Is it possible that the input class cleans the POST array regardless if I use $this->input->post or $_POST?

I just looked at the code and it seems that the input class clean the post array itself in the construction function and then the input->post function indeed just pulls it from it without any extra work to it (if I don't use XSS cleaning).

If that is so, why does the user guide encourage the use of input->post? I don't see any benefit to it...

Thanks,
Amos

[eluser]WanWizard[/eluser]
No, the input class only cleans when XSS_cleaning is globally enabled in the config. If not, it doesn't touch $_POST.

I personally never use global XSS cleaning (sometimes you don't want that), and always use $this->input->post('field', TRUE); so I'm absolutely sure it's cleaned.

[eluser]amosmos[/eluser]
OK great, I am definitely going to use your extended inut class.

The problem is I can't manage to make it run... I uploaded MY_Input.php to the application\library folder and it doesn't run... I am using CI2 so I also tried to change the "extends Input" to "extends CI_Input" but that didn't do anything.

While I'm at it let me ask: once it is working, can I use the command "$this->input->post()" to get the entire array?

Thanks,
Amos

[eluser]amosmos[/eluser]
BTW the input class does touch $_POST at the construction, even if XSS cleaning is off. It does other cleaning stuff to it. Look at line 494 or 514 for example...

Another benefit of using the input->post(something) is that it checks if that key exists, but since I need the whole post array, I don't really care for this check...

Waiting to hear your good advise about my MY_Input issue..

Thanks!
Amos

[eluser]InsiteFX[/eluser]
If your running CI2.0 it needs to go in application/core

InsiteFX