Geek asks and answers

CodeIgniter generates auxiliary text input fields, causing parsing html

I use CodeIgniter and in the edit form I pull the data from the database. Sometimes these data contain apostrophes, ampersands, etc.

How can I get CI to not parse this and change it into an HTML version so that end users can edit it.

This is an image of an edit form, this text field contains data pulled from the database and filled in the input text box. The data does not contain special characters, as you can see in the second image below.

enter image description here

Here is a screenshot of how the data looks in the table, note that I'm just pulling from the rightmost column. Not the fourth column: enter image description here

As you can tell, the data is not saved as converted html, but CI still converts it.

:

<?php    
/**
 * Form Field attribute settings
 * @author Mike DeVita
 */
$companyname = array(
    'name'  => 'companyname',
    'placeholder' => 'Enter Your Companies Name',
    'id'    => 'companyname',
    'value' => set_value('', $points['pointFields']['companyname']->uf_fieldvalue),
    'maxlength' => 80,
    'size'  => 30
);
            <div class="_100">
                <p><?php echo form_label('Company Name', $companyname['id']); ?><?php echo form_input($companyname); ?></p>
                <?php echo form_error($companyname['id']); ?>
            </div>

:

function addUserFieldHtml($compiledHtml){
    foreach ($compiledHtml as $cHK => $cHV){
        $data = array (
            'pointid' => $cHV['pointId'],
            'timestamp' => time(),
            'html' => $cHV['html'],
            'fieldid' => $cHV['fieldId'],
            'fieldvalue' => $cHV['fieldValue']
        );
        $this->db->insert('userfields', $data);

    }
}#end addUserFieldHtml() function

+3
6

:

$companyname = array(
    'value' => set_value('', $points['pointFields']['companyname']->uf_fieldvalue),
);

set_value() HTML - , :

<input name="email" value="<?php echo set_value('email'); ?>">

form_prep(), , :

<input name="username" value="<?php echo form_prep($row->username); ?>">

value :

$companyname = array(
    'value' => $points['pointFields']['companyname']->uf_fieldvalue,
);

... form_input() , value . :

echo form_input('myinput', '</div>"someJunkInput"<?php'); // Good to go
+3

CodeIgniter post , post .

, , addslashes() simple_query() query(). , sql. htmlspecialchars() htmlentities() . .

, $this- > db- > insert(); $this- > db- > update() addlashes() post.

htmlspecialchars(). XSS.

<input value="<?php=htmlspecialchars($val)?>" type="button">
+1

:

$tavall = html_entity_decode($task->description, ENT_QUOTES, 'UTF-8');

( textarea):

form_textarea(array(
    'name'          => 'task_description',
    'id'            => 'task_description',
    'value'         => set_value('task_description', $tavall), // 
    'rows'          => 10,
    'cols'          => 40,
))

.

+1

CodeIgniter $_POST htmlspecialchars(), set_value(). set_value() form_helper.php, , form_prep(), htmlspecialchars().

, form_helper, , form_prep(). MY_form_helper.php //

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

/**
 * Form Value
 *
 * Grabs a value from the POST array for the specified field so you can
 * re-populate an input field or textarea.  If Form Validation
 * is active it retrieves the info from the validation class
 * NEW: Added a third parameter prep to skip htmlspecialchars escaping
 *
 * @access  public
 * @param   string
 * @return  mixed
 */
if ( ! function_exists('set_value'))
{
    function set_value($field = '', $default = '', $prep = true)
    {
        if (FALSE === ($OBJ =& _get_validation_object()))
        {
            if ( ! isset($_POST[$field]))
            {
                return $default;
            }

            return $prep ? form_prep($_POST[$field], $field) : $_POST[$field];
        }

        return $prep ? form_prep($OBJ->set_value($field, $default), $field) : $OBJ->set_value($field, $default);
    }
}


/* End of file MY_form_helper.php */
/* Location: ./application/helpers/MY_form_helper.php */
0

CodeIgnitor 3.0:

set_value($field[, $default = ''[, $html_escape = TRUE]])
Parameters: 
$field (string) – Field name
$default (string) – Default value
$html_escape (bool) – Whether to turn off HTML escaping of the value
Returns:    
Field value

Return type:    
string

Allows you to set the value of an input form or text field. You must specify the field name using the first parameter of the function. The second (optional) parameter allows you to set the default value for the form. The third (optional) parameter allows you to disable HTML escaping of the value if you need to use this function in combination with ie form_input () and avoid double escaping.

By setting the third parameter to false, you can prevent quotes from being converted, as shown below:

  ....
 'value' => set_value('control_name',$control[0]['control_name'],false),
  ....
0
source

Use this code:

$test = 'hello "B"';
set_value('test', $test, false)
0
source

More articles:


All Articles