Form Input Not Being Escaped |
[eluser]RMinor[/eluser]
I have a problem that I just noticed today. The data being submitted via my form and inserted into the database is not being escaped. Here is my model below: Code: /** The controller handling the form is below: Code: /** I hope this is something I am doing wrong and not a bug in CodeIgniter.
[eluser]paulo_cv[/eluser]
Why not use Active Record instead of the manual query? Active Record escapes everything by default. http://ellislab.com/codeigniter/user-gui...ecord.html Then you wouldn't need to escape each and everyone of your form inputs but rather escape the insert query.
[eluser]RMinor[/eluser]
I thought the input was escaped automatically when using query bindings? Sometimes I use active record and sometimes I don't. I guess it just depends on my mood that day.
[eluser]paulo_cv[/eluser]
interesting...maybe somebody else can be more helpful. I pretty much only use active record. I read this though: Quote:$this->db->escape() This function determines the data type so that it can escape only string data. It also automatically adds single quotes around the data so you don't have to: $sql = "INSERT INTO table (title) VALUES(".$this->db->escape($title).")"; http://ellislab.com/codeigniter/user-gui...eries.html maybe it's not what you're looking for
[eluser]RMinor[/eluser]
I did see that in the User Guide, but then I read this about using bindings: Code: Query Bindings
[eluser]RMinor[/eluser]
Anybody have any ideas on why my data is not being escaped using query bindings? I re-wrote one of my queries with active record and it escaped perfectly. I really hope I don't have to re-write every single query that I did not write in active record now.
[eluser]royduin[/eluser]
Just a comment to your code. Why do you do this? Code: // Assign user input to an array Just do this: Code: $insert_data = $this->input->post(); It's already an array!
[eluser]RMinor[/eluser]
I guess from following tutorials that is what I thought needed to be done. I will do what you recommended from now on. Much simpler and cleaner. Thanks! [quote author="royduin" date="1349263329"]Just a comment to your code. Why do you do this? Code: // Assign user input to an array Just do this: Code: $insert_data = $this->input->post(); It's already an array![/quote]
[eluser]johnpeace[/eluser]
One of the advantages to the activerecord class is automagic escaping of insert/update data: http://ellislab.com/codeigniter/user-gui...tml#insert
[eluser]RMinor[/eluser]
Okay, thanks everyone for the replies. I guess its time to go back and start re-writing all my queries. |
Welcome Guest, Not a member yet? Register Sign In |