3

When I load the data into the input box:

<input type="text" name='name' value='<?= ($activity->name); ?>' class="form-control">

if the data contain single quote, it will strip the later part of the string, because of the conflict of the symbol

So I fix it with 

<input type="text" name='name' value='<?= htmlspecialchars($activity->name); ?>' class="form-control">

It works. The problem is , it is tedious to apply it into all input box, are there any workaround that apply globally, for codeigniter?

Thanks

Abdulla Nilam
  • 36,589
  • 17
  • 64
  • 85
user782104
  • 13,233
  • 55
  • 172
  • 312

6 Answers6

3

you can use both type of quote. there's no reason to use sinlge / double quote.

<input type='text' name='name' value='<?=($activity->name); ?>' class='form-control'>

<input type="text" name="name" value="<?=($activity->name); ?>" class="form-control">
Dhaval Ajani
  • 177
  • 1
  • 6
2

Use form helper:

$data=array(
    'class' => 'form-control',
    'name' => 'name',
    'value' => set_value('name', $activity->name)
);
echo form_input($data);

Or if you don't want to escape anything

'value' => set_value('name', $activity->name, false)
cssBlaster21895
  • 3,670
  • 20
  • 33
1

Why you don't doble quote un the value?

<input type="text" name='name' value="<?=($activity->name); ?>" class="form-control">

There's no reason to use single quote...

When you save "name" in the DB, you can use addslahes($name) ...

Amazone
  • 426
  • 4
  • 14
1

I think for codeigniter use it's own syntax for input text box try this one,

<?php echo form_input(array("name" => "name", "class" => "form-control input-sm", "value" => $activity['name'])); ?>
Priyank
  • 1,009
  • 12
  • 35
1

You can try adding the htmlspecialchars in the class. Something like 

class Activity{
   public $name = htmlspecialchars("value");
}
Stephan Sutter
  • 400
  • 2
  • 7
1

Every question has a solution.

I tired with assigning config and all what i can do. Finally find the best solution for you. Now you don't want to add htmlspecialchars() for all the function. Just use below code.

One more thing In CI there method call html_escape($var) read about that too as well

Changes

Go to system/core/input.php(I'm using CI 3 so go to line 254)

Change this 

public function post($index = NULL, $xss_clean = NULL)
{
    return $this->_fetch_from_array($_POST, $index, $xss_clean);
}

to this

public function post($index = NULL, $xss_clean = NULL)
{
    return htmlspecialchars ($this->_fetch_from_array($_POST, $index, $xss_clean));
}

In order to use this form method should be method="post". and in controller you have to use $this->input->post('');. $_POST will not work for yours.

Example - Code

In view(sample form)

<?php echo form_open('welcome/form'); ?>
<h1>Create Contact Form Using CodeIgniter</h1>
    <?php echo form_label('Student Name :'); ?>
    <?php echo form_input(array('id' => 'dname', 'name' => 'dname')); ?>
    <?php echo form_label('Student Email :'); ?>
    <?php echo form_input(array('id' => 'demail', 'name' => 'demail')); ?>
    <?php echo form_submit(array('id' => 'submit', 'value' => 'Submit')); ?>
<?php echo form_close(); ?>

In Controller

echo $this->input->post('dname');

Input & Output

Input is This is some <b>bold</b> text. which i took from w3Schools.com

input

Output is This is some <b>bold</b> text.

Output

Check in

  1. GitHub (Recommended)
Abdulla Nilam
  • 36,589
  • 17
  • 64
  • 85
  • You should never be changing core files in Codeigniter. – Jim Pannell Feb 13 '23 at 09:05
  • @JimPannell post something when you know about it. There is ***no RULE to say do not change***. It's for newbies like you. If you want that as an example saying "we can do anything", then search **`CodeIgniter Error: variable references`** and check where we need to make the change KIDDO – Abdulla Nilam Feb 13 '23 at 09:26
  • The recommendation is that you EXTEND Codeigniter's core functionality - not hack the core files. Why? Because your changes could be overwritten when upgrading to a newer version of CI. Instead what you can do is copy the input.php file, make the necessary changes and place it in your application/core/ folder, renaming it MY_Input.php. That way when you upgrade, your changes will be intact. – Jim Pannell Feb 14 '23 at 10:31
  • You still didn't get the point that says, "**There is no RULE for not to edit**." – Abdulla Nilam Feb 14 '23 at 11:36
  • That's right - it isn't a rule, but it is considered best practice. Everyone is free to do what they want at the end of the day. – Jim Pannell Feb 14 '23 at 13:39
  • Bro, there is no best practice in not editing core. Its also just a PHP file. If you have to do then you have to. So as you say there is no value for first comment. – Abdulla Nilam Feb 14 '23 at 14:35
  • This page in the docs might be useful for anyone coming across these comments: https://codeigniter.com/userguide3/general/core_classes.html Anyone is absolutely free to do what Abdulla has done - it's a great solution from someone who is no doubt extremely talented. However, I was merely attempting to point out that if you are to edit core files, there's a safer way to do it if you don't want to accidentally overwrite your edits when upgrading. – Jim Pannell Feb 15 '23 at 10:38