Professional CodeIgniter, Thomas Myer
Chapter 9: Security and Performance
276
Securing the MOrders Model
Although the MOrders model never touches a database, that doesn ' t mean you can just ignore it. You
have incoming data (a productid, in most cases) that need to be untainted before you should trust them.
In the case of the
updateCart()
function, simply add a line near the top of the function that runs the
incoming
$productid
variable through
id_clean()
:
function updateCart($productid,$fullproduct){
//pull in existing cart first!
$cart = $this-
>
session-
>
userdata(`cart');
$productid = id_clean($productid);
$totalprice = 0;
//function continues. . .
}
Do the same thing with the
removeLineItem()
function:
function removeLineItem($id){
$id = id_clean($id);
$totalprice = 0;
$cart = $this-
>
session-
>
userdata(`cart');
//function continues...
}
The final function,
updateCartAjax()
, is a bit more complicated, but the principle remains the same.
You ' re passing a list of IDs to the function, which gets pulled apart by
explode()
and then looped
through like any array. Eventually, a second layer is pulled open by
explode()
(this time by splitting on
the colon character). At this point, run
id_clean
on
$fields[0]
to clean up the ID and make it safe for
handling.
function updateCartAjax($idlist){
$cart = $this-
>
session-
>
userdata(`cart');
//split idlist on comma first
$records = explode(`,',$idlist);
$updated = 0;
$totalprice = $this-
>
session-
>
userdata(`totalprice');
if (count($records)){
foreach ($records as $record){
if (strlen($record)){
//split each record on colon
$fields = explode(":",$record);
$id =
id_clean($fields[0])
;
$ct = $fields[1];
//rest of function . . .
}
c09.indd 276
c09.indd 276
6/10/08 5:38:01 PM
6/10/08 5:38:01 PM