4

I have recently added a comments section to a blog. Codeigniter says to always escape data before putting it into the Db.(I do have xss clean on fulltime). Some people say all active record operations are escaped. Am I wasting my time using escape on the function below?

Using the function below I escape the data, but it all comes out into the view escaped. How do you "un-escape" data so it will be readable without the ' '? I dont want to use a regex to delete every '' in case its used in a sentence

I guess my real question is, are active records always escaped or not?

ie: Author comes out 'Name'

 function comment_insert()
{
$data = array
(
    'entry_id' => $this->db->escape($this->input->post('entry_id')),
    'ip' => $this->db->escape($this->input->post('ip')),
    'date' => $this->input->post('date'),
    'comment' => $this->db->escape($this->input->post('comment')),
    'author' => $this->db->escape($this->input->post('author')),
    'email' => $this->db->escape($this->input->post('email'))
);

$this->form_validation->set_rules('ip', 'IP', 'required|trim|valid_ip');//check
$this->form_validation->set_rules('entry_id', 'Entry ID', 'required|trim|numeric');
$this->form_validation->set_rules('date', 'Date', 'required|trim');
$this->form_validation->set_rules('comment', 'Comment',   'required|trim|max_length[600]');
$this->form_validation->set_rules('author', 'Name',  'required|trim|alpha_dash');
$this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');

if ($this->form_validation->run() == TRUE) 
{
    $this->db->limit(1);
    $this->db->insert('comments', $data);
    redirect('main/blog_view/'.$_POST['entry_id']);
} else 
{
   redirect('main/blog_view/'.$_POST['entry_id']);
}   
}

Thank you

Improve this question

1 Answer 1

Reset to default
7

According to the CodeIgniter User guide for the Active Record functions in the Database Class: http://codeigniter.com/user_guide/database/active_record.html

Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system. (emphasis added)

So yes, you're wasting your time. As long as you use Active Record, your data are automatically escaped.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thnak you. Once you start reading and see things like this ($this-db->where()) "Note: All values passed to this function are escaped automatically, producing safer queries." its easy to forget that it is escaped anyways. I appreciate your answer
It has to be noted that for complex sql queries its not always possible to use active records methods , especially when we are referring more than one table and have sub queries within the query.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.