I am using the following code to allow me to add data to my db but it seems the $this->db->escape();is not working as I can add html tags and they will run in the view :(
Code:
$this->form_validation->set_rules('aPartyLocation','A Party Location', 'required|trim|prep_for_form|max_length[35]|xss_clean');
$this->form_validation->set_rules('aPartyPhone','A Party Phone', 'required|trim|numeric|max_length[35]|xss_clean');
if($this->form_validation->run() === TRUE)
{
$userData = array(
'location' => $this->input->post('aPartyLocation', TRUE),
'phone' => $this->input->post('aPartyPhone', TRUE));
$this->db->escape($userData);
$this->party_model->addAParty($userData);
Update:
Controller:
$userData = array(
'id' => $id,
'location' => html_escape($this->input->post('aPartyLocation', TRUE)),
'phone' => html_escape($this->input->post('aPartyPhone', TRUE))
);
Model:
function addAParty($userData = NULL)
{
$this->db->insert('aParty',$userData);
return TRUE;
}
I would recommend you use CodeIgniter's Active Record class. This automatically escapes data for you.
For example, an insert statement would look like:
$this->db->insert('yourTable',array(
'location' => $this->input->post('aPartyLocation',TRUE),
'phone' => $this->input->post('aPartyPhone')
));
The second argument, is an array where the keys correspond to the columns in your database.
Edit
I believe Active Record only sanitizes data for SQL injection attacks. Passing the second parameter to $this->input->post() as TRUE protects your from XSS attacks. However, neither of those escape HTML tags. For that, you can use the htmlspecialchars function.
$this->db->insert('yourTable',array(
'location' => htmlspecialchars($this->input->post('aPartyLocation',TRUE)),
'phone' => htmlspecialchars($this->input->post('aPartyPhone'))
));
$location = $this->input->post('aPartyLocation',TRUE);
$phone = $this->input->post('aPartyPhone');
$this->db->insert('yourTable',array(
'location' => htmlspecialchars($location),
'phone' => htmlspecialchars($phone)
));
Related
Here is my Rule :
Table Name is : company_info
I have only two fields CompanyID and Telephone
In the update section, i want to check whether the Telephone Number exists for other columns and if the own field have it i don't want to check it. (Currently it checks the own data and returning with Telephone number was taken already).
'Telephone' => 'unique:company_info',
Then i tried with the below rule
But i miss in the
'Telephone' => 'unique|unique:company_info,CompanyID,'.$companyid)
or
'Telephone' => 'unique|unique:company_info,Telephone,'.$companyid)
or
'Telephone' => 'unique|unique:company_info,Telephone,'.$Telephone)
Here is my Code :
$companyid = Input::get('CompanyID');
$Telephone = Input::get('Telephone');
$rule = array(
'Telephone' => 'unique|unique:company_info,CompanyID,'.$companyid
)
$validator = Validator::make($data,$rule);
if ($validator->fails())
{
$messages = $validator->messages();
return "0"."||".$messages = $validator->messages()->first('Telephone');
}
While the update query i need to check for the unique rule except the given id
I refered this one http://laravel.com/docs/4.2/validation#rule-unique
But i am not getting return on $validator = Validator::make($data,$rule);
How can i check for the unique value except the own column
I believe you have the wrong syntax for unique validation
it should be
'Telephone' => 'unique:company_info,CompanyID,'.$companyid
or
'Telephone' => 'required|unique:company_info,CompanyID,'.$companyid
and not
'Telephone' => 'unique|unique:company_info,CompanyID,'.$companyid
Can try this as the Laravel Validation provides us various features
$companyid = Input::get('CompanyID');
$Telephone = Input::get('Telephone');
$data = array('companyid'=>$companyid, 'Telephone'=>$Telephone );
//FOR INSERTING NEW DATA
$rule = array(
'Telephone' => 'required|unique:company_info,Telephone,{:id}'
);
$validator = Validator::make($data,$rule);
//FOR UPDATING AN EXISTING DATA
public static function rule ($id, $merge=[]) {
return array_merge(
[
'Telephone' => 'required|unique:company_info,Telephone,'.$id,
],
$merge);
}
$validator = Validator::make($data,self::rule($id));
Comment for errors...
Try following code
'Telephone' => 'unique:company_info,Telephone,'.$companyid.', CompanyID';
{rule} =>
'unique:{table_name},{unique_column_name},{except_column_value},{except_column_name}'
I'm trying to validate this input:
$values = [
'id' => $input['id'][$i],
'template_id' => $input['template_id'][$i],
'schedulable_id' => $id,
'schedulable_type' => $type,
'order_by' => $i
];
Against these rules found in my Schedule class:
public static $rules = [
'template_id' => 'required|integer|exists:templates,id',
'schedulable_id' => 'required|integer',
'schedulable_type' => 'required|in:Item,Order',
'order_by' => 'integer'
];
When I do the following, I always get an array to string conversion error in "/laravel/vendor/laravel/framework/src/Illuminate/Validation/Validator.php" on line 905:
$validator = Validator::make($values, Schedule::$rules);
if ($validator->fails()) {
$errors[$i] = $validator->messages();
continue;
}
Why would this be happening?
Just discovered I had Ardent's $forceEntityHydrationFromInput = true and my input cannot be pulled directly from Input for validation purposes due to the fact that it is submitted as an array of partially referenced values.
To fix this, change to $forceEntityHydrationFromInput = false and use standard input validation procedure instead of relying on Ardent's magic.
Sometimes clever packages are too clever.
I'm not sure if the title of this question is necessarily the accurate description of what I need to do, but I'll go ahead and ask my question and see what everyone thinks...
Basically, I am receiving data from a source that I have no control over, and I need to transpose it into a suitable format for inserting into my database using CakePHP. So, here's how I'm doing it:
public function submitApp($data) {
$array = array(
'Student' => array(
'name' => $data['name'],
'email' => $data['email'],
'phone' => $data['phone'],
'address' => $data['address'],
'dob' => $data['dob'],
'gender' => $data['gender']
),
'Application' => array(
'course_id' => $data['course_id'],
'question1' => $data['question1'],
'question2' => $data['question2'],
'question3' => $data['question3'],
'question4' => $data['question4'],
),
'ApplicationQualification' => $data['Qualifications']
);
// Logic to save $array goes here
}
The problem is that sometimes not all of the keys in $data will be submitted to my app but I still want my app to work with what it gets.
I know that I can wrap each key in a conditional like this:
if (!isset($data['name'])) { $data['name'] = null; }
...and then building the array, but this seems like a pretty clumsy way of doing it. Is there a more efficient way to do this?
You could use a simple ternary statement
'name' => array_key_exists('name', $data) ? $data['name'] : null
Alternatively, you can set up a default array and then merge the given values in
$defaults = [
'name' => null,
'email' => null,
// etc
];
$data = array_merge($defaults, $data);
I am using $_POST to post data to a php file. In that php file, I have the following.
$params = array(
'name' => "$fname",
'email' => "$email",
'ad_tracking' => 'test',
'ip_address' => '$_SERVER["REMOTE_ADDR"]',
);
$subscribers = $list->subscribers;
$new_subscriber = $subscribers->create($params);
What is the best way to use the $_POST data to define the vales of each keys in the array?
The use of $_SERVER["REMOTE_ADDR"] is also not working as hoped.
POST variables are passed via the super global array $_POST in PHP. So in your case, this would technically work:
$params = array(
'name' => $_POST['fname'],
'email' => $_POST['email'],
'ad_tracking' => 'test',
'ip_address' => $_SERVER['REMOTE_ADDR'],
);
Your code for $_SERVER["REMOTE_ADDR"] was enclosed in single quotes, which in PHP means a verbatim string (i.e. without variable interpolation).
Btw, you should think of input filtering too - http://www.php.net/filter
To give you an example, this would perform input filtering in your current case:
$filtered = filter_input_array(INPUT_POST, array(
'fname' => FILTER_SANITIZE_STRING,
'email' => FILTER_VALIDATE_EMAIL,
);
Each value inside $filtered will either have a value (valid), be NULL (not present) or false (invalid).
Regarding "the use of $_SERVER["REMOTE_ADDR"] is also not working as hoped.":
Single-Quotes don't evaluate php variables
$params = array(
'name' => $_POST["fname"],
'email' => $_POST["email"],
'ad_tracking' => 'test',
'ip_address' => $_SERVER["REMOTE_ADDR"],
);
$subscribers = $list->subscribers;
$new_subscriber = $subscribers->create($params);
If I use methods e.g. insert, update in ZF Will I be safe(mysql injection)?
for example a part of code:
$data = array(
'autor' => $autor,
'title' => $title,
'text' => $text,
'date' => $date,
);
$news = new News();
$news->insert($data); // safe?
Similar question here:
How to prevent SQL Injection attack in applications programmed in Zend Framework?
Always make sure you sanitize user input values using mysql_real_escape_string
I think it will be fine just the way you have it. I mean one of the advantages of using PDO ext is to prevent SQL injections using PHP instead of MySQL to query the database.
Here is more from devzone.zend.com
It's fine the way you are doing it. But be careful with mysql-expressions. There you should use a Zend_Db_Expr-Object:
$data = array(
'author' => 'John Doe',
'title' => 'Headline goes here',
'text' => 'The content...',
'date' => new Zend_Db_Expr('NOW()') // <--- use this for SQL-Expressions
);
$news = new News();
$news->insert($data);