• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
escaping quotes when updating db

#1
[eluser]murichej[/eluser]
hi, i have one problem..

I get data from form and save them to database with jquery ajax. Everything works fine but the codeigniter is escaping quotes by itself.

I'm using jquery $.ajax (post method) to call controller wich calls model that updates data.

Example:
http://shrani.si/f/1Q/13B/ZSt63ED/q.png

#2
[eluser]murichej[/eluser]
ajax code from view:
Code:
$('#save_personal').click(function() {
    $.ajax({
        type: "POST",
        url: "index.php/profile/savePersonalInformation",
        data: { name: $('#name').val(), surname: $('#surname').val(), about: $('#about').val() },
        success: function(ret) {
            if (ret)
                location.reload();
        },
    });
});

controller code:
Code:
public function savePersonalInformation()
{
    $id = $this->id_admin;
    
    $data['name'] = trim($_REQUEST['name']);
    $data['surname'] = trim($_REQUEST['surname']);
    $data['about'] = trim($_REQUEST['about']);
    
    $OK = $this->Admin_model->setPersonalInformation($id, $data);
    
    if ($OK) {
        echo 1;
        exit;
    }
    
}

model code:
Code:
function setPersonalInformation($id, $data)
{
          
    $this->db->where('id', $id);
    $this->db->update('admin', $data);
    
    if ($this->db->affected_rows() == '1')
        return TRUE;
    
    return FALSE;
}

#3
[eluser]qcsites[/eluser]
You should actually allow it to escape quotes for security purposes then use stripslashes to remove them
Code:
<?php
$str = "Is your name O\'reilly?";

// Outputs: Is your name O'reilly?
echo stripslashes($str);
?>

#4
[eluser]murichej[/eluser]
i'm writing some CMS with lots of data inputs and so on.. that means that i have to use stripslashes every single time? that's a bit annoying

#5
[eluser]qcsites[/eluser]
You can use the following method to do it in the model http://www.greenacorn-webdesign.co.uk/we...method.php

Or you can create a function to use on your outputs.

The other option is to not use active records and write your queries. If you go this route and allow unescaped entries you leave your application vulnerable to SQL injection. Generally speaking a bad idea.

Sorry, part of the wonderful world of programming.

#6
[eluser]murichej[/eluser]
thank you very much, i think that i will use stripslashing method in model.

#7
[eluser]murichej[/eluser]
I have one problem using that method. This method changes associative array to non-associative arrays Tongue

edit: ok i wrote method for associative arrays. if somebody needs it, feel free to use it

Code:
/**
* stripslashes for associative arrays
*
* @access public
* @param  array
* @return array
*/
function stripslashes($object)
{
    
   $output = array();
    
   if (is_array($object))
   {
       foreach ($object as $key => $val)        
       {
           $item = stripslashes($val);
           $output[$key] = $item;
       }
   }
    
   return $output;
            
}


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.