[eluser]Narkboy[/eluser]
[quote author="searain" date="1295935491"]My practice is do the $this->security->xss_clean(), if it is not get from $this->input->post('mydata'), on the values in the controller. and pass the cleaned up data to the model.
And in the model, I would use bind method, so it will auto escape.
Basically, I do the clean up in controller and escape in model. Is it a good practice
But I saw some people, do both clean up and escape in the models? what are the advantages or disadvantages in these two approaches?
Thanks![/quote]
OK - in theory, every block of code should be totally ignorant of what calls it; so validation must be done at each stage. This way, you can call your model functions from one controller, but you can also call them from every other without having to duplicate the validation coding.
The goal is to make each function capable of dealing with the information they receive in a safe way, without knowing where that info came from.
I work like this:
If the function is PROCESSING data, it assumes the data is poisoned and sanitises it.
If the function is PASSING data, it does not need to sanitise it.
Thus a controller that gets POST data and sends it to a model can trust that the model will treat it carefully.
As far as is possible / logical / efficient none of my functions will trust the data they receive if they need to process it. Views are an exception, since information passed to them will always have been sanitised somewhere.
/B
