• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
String passed to callback function sanitized?

#1
[eluser]Unknown[/eluser]
I use callback functions in my form validation code to check the database for valid values for a field. Is it right to assume that the value in the field passed to the call back function is not sanitized? If I have xss enabled in my config, do I have to use $this->input->post('str') in my callback function if I want the data cleaned? Is it enough to protect the values being sent to my callback function by using validation rules such as alpha, or alpha_dash, etc?

#2
[eluser]Aken[/eluser]
It depends on what you're doing with the value in your callback.

- If you have XSS clean enabled globally in your config, fields will always be sanitized when calling them through $this->input->post().
- Unless you need to access another field, you don't need $this->input->post() in your callback. The value will automatically be passed as the first parameter of your callback method.
- The rules you specify for a field are run in that order. If you put xss_clean before your callback, it will be cleaned prior to your callback receiving it. Third, you can always run xss_clean on an individual POST element whenever you want by doing:

Code:
$this->input->post('item', true); // Note the TRUE

Maybe explain what you're doing in your callback to get advice specific for your situation.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.