Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming escaping quotes when updating db
escaping quotes when updating db
  • El Forum
    Unregistered
  •  
#1
09-14-2012, 12:18 PM

[eluser]murichej[/eluser]
hi, i have one problem..

I get data from form and save them to database with jquery ajax. Everything works fine but the codeigniter is escaping quotes by itself.

I'm using jquery $.ajax (post method) to call controller wich calls model that updates data.

Example:
http://shrani.si/f/1Q/13B/ZSt63ED/q.png
  • El Forum
    Unregistered
  •  
#2
09-14-2012, 12:30 PM

[eluser]murichej[/eluser]
ajax code from view:
Code:
$('#save_personal').click(function() {
    $.ajax({
        type: "POST",
        url: "index.php/profile/savePersonalInformation",
        data: { name: $('#name').val(), surname: $('#surname').val(), about: $('#about').val() },
        success: function(ret) {
            if (ret)
                location.reload();
        },
    });
});

controller code:
Code:
public function savePersonalInformation()
{
    $id = $this->id_admin;
    
    $data['name'] = trim($_REQUEST['name']);
    $data['surname'] = trim($_REQUEST['surname']);
    $data['about'] = trim($_REQUEST['about']);
    
    $OK = $this->Admin_model->setPersonalInformation($id, $data);
    
    if ($OK) {
        echo 1;
        exit;
    }
    
}

model code:
Code:
function setPersonalInformation($id, $data)
{
          
    $this->db->where('id', $id);
    $this->db->update('admin', $data);
    
    if ($this->db->affected_rows() == '1')
        return TRUE;
    
    return FALSE;
}
  • El Forum
    Unregistered
  •  
#3
09-14-2012, 12:43 PM

[eluser]qcsites[/eluser]
You should actually allow it to escape quotes for security purposes then use stripslashes to remove them
Code:
<?php
$str = "Is your name O\'reilly?";

// Outputs: Is your name O'reilly?
echo stripslashes($str);
?>
  • El Forum
    Unregistered
  •  
#4
09-14-2012, 12:52 PM

[eluser]murichej[/eluser]
i'm writing some CMS with lots of data inputs and so on.. that means that i have to use stripslashes every single time? that's a bit annoying
  • El Forum
    Unregistered
  •  
#5
09-14-2012, 01:02 PM

[eluser]qcsites[/eluser]
You can use the following method to do it in the model http://www.greenacorn-webdesign.co.uk/we...method.php

Or you can create a function to use on your outputs.

The other option is to not use active records and write your queries. If you go this route and allow unescaped entries you leave your application vulnerable to SQL injection. Generally speaking a bad idea.

Sorry, part of the wonderful world of programming.
  • El Forum
    Unregistered
  •  
#6
09-14-2012, 01:51 PM

[eluser]murichej[/eluser]
thank you very much, i think that i will use stripslashing method in model.
  • El Forum
    Unregistered
  •  
#7
09-16-2012, 07:05 AM

[eluser]murichej[/eluser]
I have one problem using that method. This method changes associative array to non-associative arrays Tongue

edit: ok i wrote method for associative arrays. if somebody needs it, feel free to use it

Code:
/**
* stripslashes for associative arrays
*
* @access public
* @param  array
* @return array
*/
function stripslashes($object)
{
    
   $output = array();
    
   if (is_array($object))
   {
       foreach ($object as $key => $val)        
       {
           $item = stripslashes($val);
           $output[$key] = $item;
       }
   }
    
   return $output;
            
}




Theme © iAndrew 2016 - Forum software by © MyBB