使用Codeigniter Escape函数 [英] Using Codeigniter Escape function
问题描述
我最近在网志中加入了评论部分。 Codeigniter说要总是转义数据,然后把它放入Db。(我做xss全时间清理)。有些人说所有活动记录操作都被转义。我在下面的函数上使用转义来浪费我的时间?
I have recently added a comments section to a blog. Codeigniter says to always escape data before putting it into the Db.(I do have xss clean on fulltime). Some people say all active record operations are escaped. Am I wasting my time using escape on the function below?
使用下面的函数转义数据,但它都出来了视图转义。如何卸载数据,所以它将是可读的,没有''?我不想使用正则表达式来删除每一个'',如果它在一个句子中使用
Using the function below I escape the data, but it all comes out into the view escaped. How do you "un-escape" data so it will be readable without the ' '? I dont want to use a regex to delete every '' in case its used in a sentence
我想我的真正的问题是,活动记录总是逃脱还是不?
I guess my real question is, are active records always escaped or not?
ie:作者出来'名称'
ie: Author comes out 'Name'
function comment_insert()
{
$data = array
(
'entry_id' => $this->db->escape($this->input->post('entry_id')),
'ip' => $this->db->escape($this->input->post('ip')),
'date' => $this->input->post('date'),
'comment' => $this->db->escape($this->input->post('comment')),
'author' => $this->db->escape($this->input->post('author')),
'email' => $this->db->escape($this->input->post('email'))
);
$this->form_validation->set_rules('ip', 'IP', 'required|trim|valid_ip');//check
$this->form_validation->set_rules('entry_id', 'Entry ID', 'required|trim|numeric');
$this->form_validation->set_rules('date', 'Date', 'required|trim');
$this->form_validation->set_rules('comment', 'Comment', 'required|trim|max_length[600]');
$this->form_validation->set_rules('author', 'Name', 'required|trim|alpha_dash');
$this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');
if ($this->form_validation->run() == TRUE)
{
$this->db->limit(1);
$this->db->insert('comments', $data);
redirect('main/blog_view/'.$_POST['entry_id']);
} else
{
redirect('main/blog_view/'.$_POST['entry_id']);
}
}
谢谢
推荐答案
根据CodeIgniter数据库类中Active Record函数的用户指南: http://codeigniter.com/user_guide/database/active_record.html
According to the CodeIgniter User guide for the Active Record functions in the Database Class: http://codeigniter.com/user_guide/database/active_record.html
除简单之外,使用Active Record特性的一个主要优点是它允许您创建与数据库无关的应用程序,因为查询语法是由每个数据库适配器生成的。
Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system. (emphasis added)
>所以是的,你浪费你的时间。只要您使用Active Record,您的数据就会自动转义。
So yes, you're wasting your time. As long as you use Active Record, your data are automatically escaped.
这篇关于使用Codeigniter Escape函数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
