Comments on: Building a Complete CodeIgniter Application: Part 3

By: pepe

pepe — Mon, 28 Jul 2008 08:14:08 +0000

Hi, great tutorial.

Just wondering. Doesn’t codeigniter does all the sanitation for you? The thing is instead of reading input via
$_POST
you read it via
$this->input->post
Also at
application/config/config.php
set
global_xss_filtering to true and you have pretty much all what you need.

By: tomme

tomme — Wed, 16 Apr 2008 12:50:59 +0000

Hi Jim,
absolutely great tutorial, thank you very much!
Everything works fine, I’m only having trouble going on upon this base.
I try to get the site styled with css, but I can’t get the site to load the css-file.
I’d just put the link into the css-file in the header-view like that: , but in whatever folder I put the file (html, system,application…) it doesn’t get recognized.
I suppose my problem can easily be solved within the rewriting rules, but thats absolut unknown territory for me. can you help me out?

By: 101 Code Igniter Resources | Learning On Demand

101 Code Igniter Resources | Learning On Demand — Tue, 05 Feb 2008 23:56:12 +0000

[…] Building a Complete CodeIgniter Application: Part 3, by Jim O’Halloran. Eliminate security […]

By: CodeIgniter Framework :: TermiT's Blog

CodeIgniter Framework :: TermiT's Blog — Wed, 30 Jan 2008 19:42:06 +0000

[…] Building a Complete CodeIgniter Application: Part 3 […]

By: Jim O'Halloran

Jim O'Halloran — Sun, 09 Dec 2007 00:41:29 +0000

Hi,

I like to do all of my output escaping in the view (where the output occurs) because different output formats require different escapes. You’ll need htmlentities for a web page, but you don’t want to use htmlentities on a plain text email. If the data is escaped for HTML in the database you’re restricted to using HTML as the output format, or you first need to reverse the htmlentities call, then escape the data for whatever output format you’;re using.

I don’t like magic quotes for the same reason. Magic quotes assumes that the input will be placed into the database and escapes it for that purpose. If the data fails validation and is returned to the html form, you need to strip out the backslashes first, which is a hassle.

I prefer to use “pure” unescaped data throughout my controllers and models, then escape it with the appropriate function just before output (i.e. in a view, or sql statement). I find it less hassle to work that way, otherwise you need to keep track of what form the string is in at any time, which is a pain.

Realistically, in this app, we’ll probably only use the data in a web app, so it wouldn’t be a major inconvenience to have the data html entity encoded in the database itself, but I prefer to retain the flexibility in case I change my mind later.

Hope that helps.

Jim.

By: ariel

ariel — Sat, 08 Dec 2007 23:06:09 +0000

Hi, thank you for tutorial.
a little question: why do the “htmlentities” on the view and not in the controller before saving the “title” data to the database?

By: Jim O’Halloran’s Weblog» Blog Archive » Building a Complete CodeIgniter Application

Sat, 01 Dec 2007 01:00:31 +0000

[…] Part 3: Security […]

By: Mara

Mara — Sun, 04 Nov 2007 16:11:52 +0000

Thank you for the great write-ups and tutorial. Look forward to reading more, they are extremely helpful!

By: a&w

a&w — Sun, 28 Oct 2007 19:38:38 +0000

This promises to be a nice set of tutorials when complete. I’ve also poked around bambooinvoice which has been very helpful to me. It’s really great to see how something would get built from the ground up though, and having some of the why this or why not that to understand it all better. Thanks for sharing.