0

I am using kohana 2.3.4, I have a text area for "Embed Google Map Code", the system automatically strips the Iframe tag and not inserted on the database. here's my code snippet for inserting/updating: 

$this->db->query("UPDATE tbl_sites SET map_code='$_POST[map_code]' WHERE id=$id");
jalf
  • 555
  • 4
  • 10
  • 20

2 Answers2

0

My guess is that you are forgetting the quotes when indexing into the $_POST array. Try this:

$this->db->query("UPDATE tbl_sites SET map_code='{$_POST["map_code"]}' WHERE id={$id}");

You should also make sure to sanitize the values coming from the $_POST array before using it in a query.

Community
  • 1
  • 1
JK.
  • 5,126
  • 1
  • 27
  • 26
  • ok thanks JK. Will try it now. I will just use the $this->input->post() of kohana. I will sanitize the values automatically – jalf May 07 '12 at 22:41
  • Still the same JK, iframe tag wont insert on the database – jalf May 07 '12 at 22:46
  • no error message. It successfully updated but the iframe tag is not inserted on the database – jalf May 07 '12 at 23:11
0

That query looks dodgy, but if you're certain it's updating the record correctly, and Kohana is only stripping the iframe, then perhaps this is an issue with XSS filtering.. have you tried to turn off global XSS filtering? http://docs.kohanaphp.com/general/security#cross_site_scripting_xss

badsyntax
  • 9,394
  • 3
  • 49
  • 67