StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>To my understanding, you would like to store user submitted text in a database, and then later display it on a page -- kind of like a basic commenting system or something. You just don't want any naughty/incomplete HTML characters breaking your page when outputting it.</p> <p>Whenever you have user submitted data, you want to utilize the form_validation library to clean it up and sanitize it as much as possible as a good security measure. If it goes to your database, you should use Active Records or Query Binding to get additional security from Codeigniter, such as escaping the strings, etc.</p> <p>Let me show my solution on submitting and outputting user's input on a website. There are probably better ways to do this, but this will get the job done.</p> <pre><code><?php /*Controller **************************************************/ class Something extends CI_Controller { function comments_or_whatever() { //Required -> trim value -> max_length of 100 -> strip HTML tags -> remove additional HTML entities missed by strip tags $this->form_validation->set_rules('input_1', 'The First User Input', 'required|trim|max_length[100]|xss_clean|strip_tags|callback__remove_html_entities'); $this->form_validation->set_rules('input_2', 'The Second User Input', 'trim|exact_length[11]|xss_clean|strip_tags|callback__remove_html_entities'); if ($this->form_validation->run() == FALSE) { //form didn't validate.. try again display error messages $this->load->view('your_view'); } } else { $input_1 = $this->input->post('input_1'); $input_2 = $this->input->post('input_2'); $submission_array = array( 'db_field_1' => $input_1, 'db_field_2' => $input_2 ); $this->load->model('comments'); $result = $this->comments->submit_comments_or_whatever($submission_array); if ($result['is_true'] == TRUE) { //creates a temporary flash message and redirects to current page //if on a windows server use 'refresh' instead of 'location' $this->session->set_flashdata('message', '<div class="message">'.$result['message'].'</div>'); redirect('something', 'location'); } else { $data['message'] = $result['message']; $this->load->view('your_view', $data); } } } // Very important to get rid calling HTML Entities via HTML number codes such as &#60 etc. Strip_tags does not do this. // This is privately called during validation from the callback__remove_html_entities custom callback function _remove_html_entities($submission) { $submission = preg_replace("/&#?[a-z0-9]{2,8};/i","",$submission); return $submission; } } /* Model ****************************************/ class Comments extends CI_Model { function submit_comments_or_whatever($submission_array) { // Active record escapes string and does additional security $query = $this->db->insert('comments', $submission_array); if ($query == TRUE) { $data['is_true'] = TRUE; $data['message'] = 'Your message has been successfully shared!'; return $data; } else { $data['is_true'] = FALSE; $data['message'] = 'Sorry, but there was an error dude inserting your message into the database.'; return $data; } } } /* View -> your_view.php ****************************************/ <?php echo validation_errors('<div class="message">', '</div>'); ?> <?php echo $this->session->flashdata('message'); ?> <?php if (!empty($message)) echo '<div class="message">'.$message.'</div>'; ?> <?php echo form_open('something/comments_or_whatever'); ?> <?php echo form_label('The First User Input', 'input_1'); ?><br> <?php $input_1_form = array('name' => 'input_1', 'id' => 'input_1', 'value' => set_value('input_1')); ?> <?php echo form_input($input_1_form); ?><br> <?php echo form_label('The Second User Input', 'input_2'); ?><br> <?php $input_2_form = array('name' => 'input_2', 'id' => 'input_2', 'value' => set_value('input_2')); ?> <?php echo form_input($input_2_form); ?><br> <?php echo form_submit('submit', 'Dude, submit my user inputed text!'); ?> <?php echo form_close(); ?> </code></pre> <p>This code assumes you autoload the Form Validation, Sessions, and Database Libraries and the Form Helper. Now, all your user inputed data is stripped to a bare minimum of plain text using a custom Regular Expression call back during form validation. All naughty HTML characters are gone/sanitized, completely. You can now be worry-free to output the submitted data anywhere you'd like on a webpage without it breaking or being a security concern.</p> <p>The problem with just doing HTMLSpecialChars() and html decode is it doesn't account for incomplete HTML tags. Hopefully this helps, best of luck dude, and as always, nothing is ever completely secure. </p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload