tags:

views:

144

answers:

6
+2  Q: 

Clean html input in Codeigniter

HI guys,

I building an app using CodeIgniter and I came to a problem. I have a form with a textarea in which the user puts his text using a simple editor powered by jwysiwyg.jquery. The problem is that is need to clean this input of garbage code (link the one that comes with pasting directly from Word).

The form is validated with the form_validation library from CodeIgniter, with this rule:

array(
 'field' => 'job[description]',
 'label' => 'Description',
 'rules' => 'trim|required|callback_clean_html'
),

Then I have a clean_html method that simply does a:

return strip_tags($text,'<a><p><br><strong><em><h3><h4><h5><ul><ol><li>');

The problem is that this is simply ignored and the original text gets inserted in the database. The method runs (I've tested). I asume it's because a callback should return TRUE or FALSE, but then xss_clean doesn't return a BOOL. The documentation isn't much help.

Any thoughs?

Thanks in advance.

A: 

Have you tried removing callback_ in the rule? You can do regular PHP functions like trim so this should work.

fire  2010-07-09 10:32:22
A: 

Something aI always do just to be double safe, after setting the rules for the input I also run them through this

`$string = filter_var($string, FILTER_SANITIZE_STRING);`

That will strip out the html

I too have run into situations lately where the input totally ignores the rules that have been set.

Brad  2010-07-10 01:47:02
A: 

I think form_validation callbacks do need to return a bool. I find that form_validation is most useful when you need to display an error message to a user usually to resubmit the form. Although the prepping functions can be convenient, they don't need to be there to validate. Why not pass the submitted string through the strip_tags function after the form is submitted but before you send it to your db?

musoNic80  2010-07-10 19:49:16
I'll do that, I just thought it would be nice to do all the data prepping in one place, oh well.Thank for the respons.
Dan F.  2010-07-12 09:54:40
A: 

xss_clean and other CI validation functions return non-bool values. I just tested the following callback function in CI version 1.7.2:

function test_string_change($str)
{
    return "$str **";
}

The string was changed successfully using callback_test_string_change. I know there were some issues with the callback functions in 1.7.0, are you using the latest version?

Brian Hogg  2010-07-15 08:40:41
A: 

Hello,

see weakness of codeigniter input library on http://newdailyblog.blogspot.com/2010/07/weakness-of-codeigniter-input-library.html.

Tahsin Hasan  2010-07-17 08:26:48
A: 

Hello,

and see how you can fix it with an extended my input library on http://newdailyblog.blogspot.com/2010/07/documentation-of-codeigniter-my-input.html.

Tahsin Hasan  2010-07-17 08:35:04

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases