Wednesday, 15 June 2011

php - Understanding HTML Purifier -



php - Understanding HTML Purifier -

i using codeigniter. have 4 forms (student signin, login in form, create account, , request account)

i using @ moment filter input on 1 of forms (create account) :

function create() { $this->load->library('bcrypt'); $this->load->library('form_validation'); $this->form_validation->set_rules('fname', 'first name', 'trim|required|alpha|max_length[14]'); $this->form_validation->set_rules('lname', 'last name', 'trim|required|alpha|max_length[14]'); $this->form_validation->set_rules('email', 'email address', 'trim|required|is_unique[users.email]|valid_email'); $this->form_validation->set_rules('username', 'username', 'trim|is_unique[users.username]|required|alpha_numeric||min_length[4]|max_length[15]'); $this->form_validation->set_rules('password', 'password', 'trim|required|min_length[7]|alpha_dash|max_length[20]'); $this->form_validation->set_rules('passwordconf', 'confirm password', 'trim|required|min_length[7]|max_length[20]|matches[password]|alpha_dash'); if($this->form_validation->run() == false) { $this->view(); }

to understand html purifier should used when user info going echo'd/outputted html in table, forum, blog (etc.) understanding of correct? asking because pupil login form used come in info database. pupil queue page used select ... ... database. confusing me when create output pupil queue info database housed. wont posted directly.

so in turn train of thought goes follows :

validate info making sure expect filter info xss_clean am. use pdo prepared queries insert info db (now step confuses me) how should echo database data? should utilize html purifier @ step?

sorry if question has been asked 1000000 times, can't seem find looking for. not gripping concept of html purifier.

edit 1 : using global xss_clean filter in config file.

html purifier when have string datatype html , want restrict kinds of html may appear in it.

however none of fields have here html--they strings. display them escape strings display in html, string.

more recent versions of codeigniter have html_escape() function. utilize in views so:

<p><?=html_escape($mystring)?></p>

if using older version, utilize htmlspecialchars($mystring, ent_noquotes, 'utf-8') directly. should wrap in one-argument function.

php codeigniter security xss

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)