EllisLab text mark
Advanced Search
     
Formatting the POST array to an SQL insert\update string in codeigniter 2
Posted: 07 November 2010 09:42 AM
Joined: 2010-04-23
33 posts

Hi,

I’m trying to automate form creation and submission in codeigniter.

Basically what I want is to find a way to go over all the data in the POST array and format it correctly to an insert or update sql query.

The problem is I don’t know how to access to whole POST array in CI, all I know of is the $this->input->post(field_name) way which only gives you a specific field.

Ideally I would want to send the POST array to the $this->db->insert_string() or $this->db->update_string() to do the job for me.

I know I can still use the php native $_POST array, but this is not recommended and not as secure as CI’s input class.

Anyone know a way to do this?

Thanks, Amos

 
Posted: 07 November 2010 09:55 AM   [ # 1 ]   [ Rating: 0 ]
Avatar
Joined: 2008-11-04
4489 posts

$this->input->post() just returns a value from $_POST (if you don’t explicitly request to clean it), so if you have global XSS clean enabled, you can just use $_POST.

If you want the option to return the entire array, you can use my Input library extension:

class MY_Input extends Input
{
    
/**
    * Fetch from array
    *
    * This is a helper function to retrieve values from global arrays
    *
    * @access    private
    * @param    array
    * @param    string
    * @param    bool
    * @return    string
    */
    
function _fetch_from_array(&$array$index ''$xss_clean FALSE)
    
{
        
if ( empty($index) )
        
{
            
if ( $xss_clean === TRUE )
            
{
                $cleaned 
= array();
                foreach(
$array as $key => $value)
                
{
                    $cleaned[$key] 
$this->xss_clean($value);
                
}
                
return $cleaned;
            
}
            
else
            
{
                
return $array;
            
}
        }
        
else
        
{
            
if ( ! isset($array[$index]))
            
{
                
return FALSE;
            
}

            
if ($xss_clean === TRUE)
            
{
                
return $this->xss_clean($array[$index]);
            
}

            
return $array[$index];
        
}
    }
 Signature 

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM <= LOOKING FOR A NEW MAINTAINER!

 
Posted: 07 November 2010 10:05 AM   [ # 2 ]   [ Rating: 0 ]
Joined: 2010-04-23
33 posts

I don’t get it, if I don’t use XSS cleaning, $this->input->post(something) is EXACTLY the same is $_POST[something] ??

 
Posted: 07 November 2010 10:16 AM   [ # 3 ]   [ Rating: 0 ]
Joined: 2010-04-23
33 posts

The user guide says the the input class filters the POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters and standardizes newline characters to \n… I’m not 100% sure how serious that is but it sounds important, no?

 
Posted: 07 November 2010 10:27 AM   [ # 4 ]   [ Rating: 0 ]
Avatar
Joined: 2008-11-04
4489 posts

Yes.

If you use global XSS cleaning in your config, $_POST contains the cleaned values, and it is safe to use $_POST. (if you do you have to make sure nobody changes your config setting!). If you don’t, you need to use the XSS_clean parameter of $this->input->post.

There are two options:
- use my Input library extension that allows you to use $this->input->post(FALSE, TRUE) which returns the entire $_POST array, cleaned.
- code it manually:

// manually clean all post values
foreach( $_POST as $key => $value )
{
    $_POST[$key] 
$this->input->post($keyTRUE);
}
// you can now use $_POST here... 
 Signature 

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM <= LOOKING FOR A NEW MAINTAINER!

 
Posted: 07 November 2010 10:28 AM   [ # 5 ]   [ Rating: 0 ]
Joined: 2010-04-23
33 posts

Is it possible that the input class cleans the POST array regardless if I use $this->input->post or $_POST?

I just looked at the code and it seems that the input class clean the post array itself in the construction function and then the input->post function indeed just pulls it from it without any extra work to it (if I don’t use XSS cleaning).

If that is so, why does the user guide encourage the use of input->post? I don’t see any benefit to it…

Thanks,
Amos

 
Posted: 07 November 2010 10:39 AM   [ # 6 ]   [ Rating: 0 ]
Avatar
Joined: 2008-11-04
4489 posts

No, the input class only cleans when XSS_cleaning is globally enabled in the config. If not, it doesn’t touch $_POST.

I personally never use global XSS cleaning (sometimes you don’t want that), and always use $this->input->post(‘field’, TRUE); so I’m absolutely sure it’s cleaned.

 Signature 

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM <= LOOKING FOR A NEW MAINTAINER!

 
Posted: 07 November 2010 10:42 AM   [ # 7 ]   [ Rating: 0 ]
Joined: 2010-04-23
33 posts

OK great, I am definitely going to use your extended inut class.

The problem is I can’t manage to make it run… I uploaded MY_Input.php to the application\library folder and it doesn’t run… I am using CI2 so I also tried to change the “extends Input” to “extends CI_Input” but that didn’t do anything.

While I’m at it let me ask: once it is working, can I use the command “$this->input->post()” to get the entire array?

Thanks,
Amos

 
Posted: 07 November 2010 10:50 AM   [ # 8 ]   [ Rating: 0 ]
Joined: 2010-04-23
33 posts

BTW the input class does touch $_POST at the construction, even if XSS cleaning is off. It does other cleaning stuff to it. Look at line 494 or 514 for example…

Another benefit of using the input->post(something) is that it checks if that key exists, but since I need the whole post array, I don’t really care for this check…

Waiting to hear your good advise about my MY_Input issue..

Thanks!
Amos

 
Posted: 07 November 2010 11:22 AM   [ # 9 ]   [ Rating: 0 ]
Avatar
Joined: 2009-06-19
6583 posts

If your running CI2.0 it needs to go in application/core

InsiteFX

 Signature 

Certified State of CT Computer Programming Teacher.
Custom Designed Icons, eBook Covers Software Boxes. CD, DVD Etc. New iPhone® Tab Bar Icons and iPhone® Applications Icons.

Skype: insitfx

STOP! Before posting your questions, remember the WWW Golden rule:
What did you try? What did you get? What did you expect to get?

Input -> Controller | Processing -> Model | Output -> View

 
Posted: 07 November 2010 11:44 AM   [ # 10 ]   [ Rating: 0 ]
Joined: 2010-04-23
33 posts

if that’s true then the user guide for CI2 is very wrong on that issue. Not that it doesn’t have many mistakes, but this one is a really big one…