How to avoid code being inserted into database

Question

How to avoid code being inserted into database(Eg: ) while still maintaining the css applied on the div's from a textbox. Please see the image below and look for column openletter you will see html code is being inserted into this column. There are div's along with css being inserted. I know it sounds silly but how to avoid these codes being inserted into db. I have attached my model,view and controller codes below.

My model code is (student.php):

 public function updatestudent($open_id, $from, $to, $openletter, $featured, $title, $archieve, $latest, $sponsor, $image, $category)
 {
 $data = array('open_id'=>$open_id, 'from'=>$from, 'to'=>$to, 'openletter'=>$openletter, 'featured'=>$featured, 'title'=>$title, 'archieve'=>$archieve, 'latest'=>$latest, 'sponsor'=>$sponsor, 'image'=>$image,  'category'=>$category);
 $this->db->where('open_id', $open_id);
 return($this->db->update('country',$data));
 }

My controller code is(home.php):

 public function editstudent($open_id)
 {
  $query['data']=$this->student->showstudentCon($open_id);
 if (isset($_POST['submit']))
 {
  $this->form_validation->set_rules('open_id', 'open_id', 'required');
  $this->form_validation->set_rules('from', 'from', 'required');
  $this->form_validation->set_rules('to', 'to', 'required');
  $this->form_validation->set_rules('openletter', 'openletter', 'required');
  $this->form_validation->set_rules('featured', 'featured', 'required');
  $this->form_validation->set_rules('title', 'title', 'required');
  $this->form_validation->set_rules('archieve', 'archieve', 'required');
  $this->form_validation->set_rules('latest', 'latest', 'required');
  $this->form_validation->set_rules('sponsor', 'sponsor', 'required');
  $this->form_validation->set_rules('image', 'image', 'required');
  $this->form_validation->set_rules('category', 'category', 'required');
  if ($this->form_validation->run() == FALSE)
  
  {
   $this->load->view('file/header');
     $this->load->view('file/menu');
   $this->load->view('form', $query);
   $this->load->view('file/footer');
  }
  else {
   
 
  $open_id=$_POST['open_id'];
  $from=$_POST['from'];
  $to=$_POST['to'];
  $openletter=$_POST['openletter'];
  $featured=$_POST['featured'];
  $title=$_POST['title'];
  $archieve=$_POST['archieve'];
  $latest=$_POST['latest'];
  $sponsor=$_POST['sponsor'];
  $image=$_POST['image'];
  $category=$_POST['category'];
  
 $result=$this->student->updatestudent($open_id, $from, $to, $openletter, $featured, $title, $archieve, $latest, $sponsor, $image, $category);
 if($result)
 {
  $this->load->view('file/header');
     $this->load->view('file/menu');
   echo "<div class='success'>";
  echo "Successfully Updated";
  echo "</div>";
   $this->load->view('file/footer');
  
  
 }
 else {
   
   $this->load->view('file/header');
     $this->load->view('file/menu');
   echo "<div class='error'>";
  echo "Somthins Is Missing";
  echo "</div>";
   $this->load->view('file/footer');
  
 }
 
 
  }
 
 
 
 }
 else {
  $this->load->view('file/header');
    $this->load->view('file/menu');
  $this->load->view('form', $query);
   $this->load->view('file/footer');
 }
 
   
 }

My view Code is (demoview.php):

<script>
 $(document).ready(function() {
    $('#datatable').DataTable();
} );

</script>
<div class="content">
  <h2>Welcome Back, <?php echo $name=$this->session->userdata('username'); ?>!</h2>


<h2>Open Letters</h2>
        <div class="divider"></div>
        <br/>
 <?php
 echo "<table style='border: 1px solid black' id='datatable' class='display' cellspacing='0' width='100%'>";
 $head="<thead>
        <tr style='border: 1px solid black'>
            <th>From</th>
            <th>To</th>
            <th>Title</th>
            <th>open_id</th>
              <th>archieve</th>
            <th>latest</th>
            <th>sponsor</th>
            <th>Image</th>
            <th>category</th>
        </tr>
    </thead>";
 $foot="<tfoot>
        <tr style='border: 1px solid black'>
     <th>From</th>
            <th>To</th>
            <th>Title</th>
            <th>open_id</th>
              <th>archieve</th>
            <th>latest</th>
            <th>sponsor</th>
            <th>Image</th>
        </tr>
    </tfoot>";
 echo $head;
 echo $foot;
 echo "<tbody>";
    
 foreach($query as $row)
 {
  echo "<tr style='border: 1px solid black'>";
 echo "<td style='border: 1px solid black'>";
   echo $row->from;
  echo "</td><td style='border: 1px solid black'>";
  echo $row->to;
  echo "</td><td style='border: 1px solid black'>";
  echo $row->title;
  echo "</td><td style='border: 1px solid black'>";
  echo $row->open_id;
   echo "</td><td style='border: 1px solid black'>";
  echo $row->archieve;
    echo "</td><td style='border: 1px solid black'>";
  echo $row->latest;
    echo "</td><td style='border: 1px solid black'>";
  echo $row->sponsor;
  echo "</td><td style='border: 1px solid black'>";
   echo $row->image;
  echo "</td><td style='border: 1px solid black'>";
    echo $row->category;
  echo "</td><td style='border: 1px solid black'>";
  echo "<a href='".base_url('index.php/home/editstudent').'/'.$row->open_id."'>Edit  </a><a href='".base_url('index.php/home/deletestudent').'/'.$row->open_id."'>Delete</a>";
  echo "</tr>";
 }
 echo "</tbody>";
 echo "</table>";
?>

  <h4><?php echo anchor('home/logout', 'Logout'); ?></h4>
</div><!--<div class="content">-->

Possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — BRoebie, Dec 16 '15 at 09:10

score 2 · Accepted Answer · answered Dec 16 '15 at 09:14

First in your Model you don't need to return an update simply do

public function updatestudent($open_id, $from, $to, $openletter, $featured, $title, $archieve, $latest, $sponsor, $image, $category)
{
$data = array('open_id'=>$open_id, 'from'=>$from, 'to'=>$to, 'openletter'=>$openletter, 'featured'=>$featured, 'title'=>$title, 'archieve'=>$archieve, 'latest'=>$latest, 'sponsor'=>$sponsor, 'image'=>$image,  'category'=>$category);
$this->db->where('open_id', $open_id);
$this->db->update('country',$data);
}

Secondly it is engouh to just do $openletter = strip_tags($_POST['openletter']); And the html will be gone. please see strip_tags

score 1 · Answer 2 · edited Jun 20 '20 at 09:12

1

strip_tags — Strip HTML and PHP tags from a string

string strip_tags ( string $str [, string $allowable_tags ] )

SOURCE: Official Documentation

So, using strip_tags your controller will have:

   $openletter=strip_tags($_POST['openletter']);

edited Jun 20 '20 at 09:12

Community

1
1

answered Dec 16 '15 at 09:13

bIgBoY

417
2
12

score 0 · Answer 3 · answered Dec 16 '15 at 09:15

You can use strip_tags in your model file :-

public function updatestudent($open_id, $from, $to, $openletter, $featured, $title, $archieve, $latest, $sponsor, $image, $category)
{
      $openletter = strip_tags($openletter);
      $data = array('open_id'=>$open_id, 'from'=>$from, 'to'=>$to, 'openletter'=>$openletter, 'featured'=>$featured, 'title'=>$title, 'archieve'=>$archieve, 'latest'=>$latest, 'sponsor'=>$sponsor, 'image'=>$image,  'category'=>$category);
      $this->db->where('open_id', $open_id);
      return($this->db->update('country',$data));
}

It may help you.

How to avoid code being inserted into database

3 Answers3