Is there a need to re-validate information in CodeIgniter forms?

0
votes

Wasn't really sure how to title this question, but here it goes. I always use CodeIgntier's form validation class to validate my form information. In my application, there are forms that are used by other members that register. For example, if someone wants to post a comment on a blog article, they use the form for that article.

If my controller is:


class Blog extends CI_Controller {

     function postcomment($blog_id){

          if($this->form_validation->run('comment') == FALSE){

               $this->parser->parse('comment_form.tpl', $data);

          } else {

               $this->blog_post->create_comment($blog_id);

          }

     }

}

and my model is...


class Blog_Post extends CI_Model {

     function create_comment($blog_id){

         $data = array(
               'title' => $this->input->post('title'),
               'content' => $this->input->post('content'),
               'date' => time()
              );

          $this->db->insert('blog_comments', $data);

     }

Is there a need to use preg_match, strlen, isset, etc, to validate the information before it's actually inserted?

3
securitycodeignitervalidation

3 Answers

0
votes

it depends on your needs while CI's form validation does provide the regex,unique,max_length,isset .. etc validations.

if you have any custom validation like calculations or percentages > than input no.s for this it also provides the callback function to validate total depends on your needs

Some major validation rules are

cascadingrules

Prepping Data

callbacks

Here is all the stuff that you need to go through form_validation

0
votes

Even Codeigniter already implemented security. It is stil best practice to implement the following;

  1. Filter the data as if it were tainted. (Using the xss filtering)
  2. Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)
  3. Escape the data before submitting it into your database.

I read this here http://ellislab.com/codeigniter/user-guide/general/security.html.

0
votes

but then if you did previously with form_validation validation to insert the data sent by post

Should I enable XSS?

$this->input->post('any_input', TRUE);

//campos de la tabla y datos a insertar
                $dataUsuario = array(
                            'matr_user'         => 'guest-'.date("whis"),//hora-min-seg-dia
                            'pass_user'         => $passHash,
                            'nom_user'          => capitalizar($this->input->post('tx_nom')),
                            'ap_user'           => capitalizar($this->input->post('tx_ap')),
                            'am_user'           => capitalizar($this->input->post('tx_am')),
                            'sex_user'          => $this->input->post('tx_sex'),
                            'nomfull'           => $nom_completo,
                            'fnaci_user'        => $this->input->post('tx_naci'),
                            'curp_user'         => $this->input->post('tx_curp'),
                            'callenum_user'     => capitalizar($this->input->post('tx_calle')),
                            'col_user'          => capitalizar($this->input->post('tx_col')),
                            'cp_user'           => $this->input->post('tx_cp'),
                            'ciud_user'         => capitalizar($this->input->post('tx_city')),
                            'estad_user'        => capitalizar($this->input->post('tx_estado')),    
                            'fech_ins_user'     => $this->fecha_server(),
                            'time_ins_user'     => $this->hora_server(),
                            'ip_ins_user'       => $this->ip_usuario(),
                            'operador_ins_user' => $this->session->userdata('username'),
                            'fech_upd_user'     => '0000-00-00',
                            'time_upd_user'     => '00:00:00',
                            'ip_upd_user'       => '0',
                            'operador_upd_user' => 'sinuser'
                        );

                //inicia transacciones
                $this->db->trans_start();

                //insertamos datos
                //llamamos al metodo del modelo que realiza las inserciones                 
                $consulta_idUser = $this->usuario->create_usuario($dataUsuario);