String passed to callback function sanitized?

[eluser]Unknown[/eluser]
I use callback functions in my form validation code to check the database for valid values for a field. Is it right to assume that the value in the field passed to the call back function is not sanitized? If I have xss enabled in my config, do I have to use $this->input->post('str') in my callback function if I want the data cleaned? Is it enough to protect the values being sent to my callback function by using validation rules such as alpha, or alpha_dash, etc?

[eluser]Aken[/eluser]
It depends on what you're doing with the value in your callback.

- If you have XSS clean enabled globally in your config, fields will always be sanitized when calling them through $this->input->post().
- Unless you need to access another field, you don't need $this->input->post() in your callback. The value will automatically be passed as the first parameter of your callback method.
- The rules you specify for a field are run in that order. If you put xss_clean before your callback, it will be cleaned prior to your callback receiving it. Third, you can always run xss_clean on an individual POST element whenever you want by doing:

Code:

$this->input->post('item', true); // Note the TRUE

Maybe explain what you're doing in your callback to get advice specific for your situation.