I recently added a comment section to my blog. Codeigniter says that you should always avoid data before putting it in Db (I have xss clean in full). Some people say that all active recording operations slip away. Am I spending my time using the function below?
Using the function below, I exit the data, but it all goes into a hidden view. How do you “not run away” so that it is readable without “?”? I don't want to use regex to remove each '' if used in a sentence
I think my real question is: have active records always escaped or not?
ie: The author leaves "Name"
function comment_insert()
{
$data = array
(
'entry_id' => $this->db->escape($this->input->post('entry_id')),
'ip' => $this->db->escape($this->input->post('ip')),
'date' => $this->input->post('date'),
'comment' => $this->db->escape($this->input->post('comment')),
'author' => $this->db->escape($this->input->post('author')),
'email' => $this->db->escape($this->input->post('email'))
);
$this->form_validation->set_rules('ip', 'IP', 'required|trim|valid_ip');
$this->form_validation->set_rules('entry_id', 'Entry ID', 'required|trim|numeric');
$this->form_validation->set_rules('date', 'Date', 'required|trim');
$this->form_validation->set_rules('comment', 'Comment', 'required|trim|max_length[600]');
$this->form_validation->set_rules('author', 'Name', 'required|trim|alpha_dash');
$this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');
if ($this->form_validation->run() == TRUE)
{
$this->db->limit(1);
$this->db->insert('comments', $data);
redirect('main/blog_view/'.$_POST['entry_id']);
} else
{
redirect('main/blog_view/'.$_POST['entry_id']);
}
}
thank