Form Input Not Being Escaped

[eluser]RMinor[/eluser]
I have a problem that I just noticed today. The data being submitted via my form and inserted into the database is not being escaped.

Here is my model below:

Code:

/**
* Method to add a product.
* @param $insert_data array
* @return integer or boolean
*/
public function add($insert_data)
{
    // Make sure data to be inserted is an array
    if (!is_array($insert_data)) {
        throw new Exception('Insert data must be an array.');
    }
    $query = $this->db->query("INSERT INTO product (
        product_sku,
        product_name,
        product_category,
        product_description,
        product_price,
        product_date,
        product_notw_description,
        product_notw_headline) VALUES (?, ?, ?, ?, ?, ?, ?, ?)", array(
            $insert_data['sku'],
            $insert_data['name'],
            $insert_data['category'],
            $insert_data['description'],
            $insert_data['price'],
            $insert_data['notw_date'],
            $insert_data['notw_description'],
            $insert_data['notw_headline']
        ));
    if ($this->db->affected_rows() == 1) {
        $insert_id = $this->db->insert_id();
        return $insert_id;
    }
    return FALSE;
}

The controller handling the form is below:

Code:

/**
* Method for adding a new product.
*/
public function add()
{
    // Retrieve all product categories
    $data['categories'] = $this->Dashboard_model->getCategories();
    // Set the product added and photo uploaded variables to false
    $data['product_added'] = FALSE;
    $data['photos_uploaded'] = FALSE;
    // Load the form validation library
    $this->load->library('form_validation');
    // Check if the submit button was pressed
    if ($this->input->post('submit')) {
        // Set form validation rules
        $this->form_validation->set_rules('sku', 'Product SKU', 'trim|required');
        $this->form_validation->set_rules('name', 'Product Name', 'trim|required');
        $this->form_validation->set_rules('category', 'Product Category', 'trim|required');
        $this->form_validation->set_rules('description', 'Product Description', 'trim|required');
        $this->form_validation->set_rules('price', 'Product Price', 'trim|required');
        // If form validation fails
        if ($this->form_validation->run() == FALSE) {} else {
            // Assign user input to an array
            $insert_data['sku'] = $this->input->post('sku');
            $insert_data['name'] = $this->input->post('name');
            $insert_data['category'] = $this->input->post('category');
            $insert_data['description'] = $this->input->post('description');
            $insert_data['price'] = $this->input->post('price');
            $insert_data['notw_date'] = $this->input->post('notw_date');
            $insert_data['notw_description'] = $this->input->post('notw_description');
            $insert_data['notw_headline'] = $this->input->post('notw_headline');
            // If insertion into database succeeds
            if ($id = $this->Products_model->add($insert_data)) {
                // Make sort order 1 and add 1 to the rest
                if ($this->Products_model->updateSortOrder($id, $insert_data['category'])) {
                    // Set product added variable to true
                    $data['product_added'] = TRUE;
                }
                // If processing of photo succeeds
                if ($photo_info = $this->_process_upload()) {
                    // if insertion into database succeeds
                    if ($this->Products_model->addPhoto($id, $photo_info['photo'], $photo_info['thumb'])) {
                        // Set the photos uploaded variable to true
                        $data['photos_uploaded'] = TRUE;
                    }
                }
            }
        }
    }
    // Load the required view
    $this->load->view('admin/add_product_view', $data);
}

I hope this is something I am doing wrong and not a bug in CodeIgniter.

[eluser]paulo_cv[/eluser]
Why not use Active Record instead of the manual query? Active Record escapes everything by default.

http://ellislab.com/codeigniter/user-gui...ecord.html

Then you wouldn't need to escape each and everyone of your form inputs but rather escape the insert query.

[eluser]RMinor[/eluser]
I thought the input was escaped automatically when using query bindings? Sometimes I use active record and sometimes I don't. I guess it just depends on my mood that day.

[eluser]paulo_cv[/eluser]
interesting...maybe somebody else can be more helpful. I pretty much only use active record.
I read this though:

$this->db->escape() This function determines the data type so that it can escape only string data. It also automatically adds single quotes around the data so you don't have to: $sql = "INSERT INTO table (title) VALUES(".$this->db->escape($title).")";

http://ellislab.com/codeigniter/user-gui...eries.html

maybe it's not what you're looking for

[eluser]RMinor[/eluser]
I did see that in the User Guide, but then I read this about using bindings:

Code:

Query Bindings

Bindings enable you to simplify your query syntax by letting the system put the queries together for you. Consider the following example:
$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";

$this->db->query($sql, array(3, 'live', 'Rick'));

The question marks in the query are automatically replaced with the values in the array in the second parameter of the query function.

The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don't have to remember to manually escape data; the engine does it automatically for you.

[eluser]RMinor[/eluser]
Anybody have any ideas on why my data is not being escaped using query bindings? I re-wrote one of my queries with active record and it escaped perfectly. I really hope I don't have to re-write every single query that I did not write in active record now.

[eluser]royduin[/eluser]
Just a comment to your code. Why do you do this?

Code:

// Assign user input to an array
$insert_data['sku'] = $this->input->post('sku');
$insert_data['name'] = $this->input->post('name');
$insert_data['category'] = $this->input->post('category');
$insert_data['description'] = $this->input->post('description');
$insert_data['price'] = $this->input->post('price');
$insert_data['notw_date'] = $this->input->post('notw_date');
$insert_data['notw_description'] = $this->input->post('notw_description');
$insert_data['notw_headline'] = $this->input->post('notw_headline');

Just do this:

Code:

$insert_data = $this->input->post();

It's already an array!

[eluser]RMinor[/eluser]
I guess from following tutorials that is what I thought needed to be done. I will do what you recommended from now on. Much simpler and cleaner. Thanks!

[quote author="royduin" date="1349263329"]Just a comment to your code. Why do you do this?

Code:

// Assign user input to an array
$insert_data['sku'] = $this->input->post('sku');
$insert_data['name'] = $this->input->post('name');
$insert_data['category'] = $this->input->post('category');
$insert_data['description'] = $this->input->post('description');
$insert_data['price'] = $this->input->post('price');
$insert_data['notw_date'] = $this->input->post('notw_date');
$insert_data['notw_description'] = $this->input->post('notw_description');
$insert_data['notw_headline'] = $this->input->post('notw_headline');

Just do this:

Code:

$insert_data = $this->input->post();

It's already an array![/quote]

[eluser]johnpeace[/eluser]
One of the advantages to the activerecord class is automagic escaping of insert/update data:

http://ellislab.com/codeigniter/user-gui...tml#insert

[eluser]RMinor[/eluser]
Okay, thanks everyone for the replies. I guess its time to go back and start re-writing all my queries.