Professional CodeIgniter, Thomas Myer
Chapter 9: Security and Performance
277
Securing the MPages Model
MPages is just like all the rest. You need to protect the
getPage()
function,
getPagePath()
, and any
function that inserts, updates, or deletes records. For example, here is the
addPage()
function:
function addPage(){
$data = array(
`name' =
>
db_clean($_POST[`name']),
`keywords' =
>
db_clean($_POST[`keywords']),
`description' =
>
db_clean($_POST[`description']),
`status' =
>
db_clean($_POST[`status'],8),
`path' =
>
db_clean($_POST[`path']),
`content' =
>
$_POST[`content']
);
$this-
>
db-
>
insert(`pages', $data);
}
Notice that in this case, the content field of the pages table should contain HTML content, so you ' re not
going to add any restrictions to it.
The complete list of functions that must be secured in this model includes :
addPage()
updatePage()
deletePage()
getPage()
getPagePath()
Securing the MProducts Model
The MProducts model is by far the largest in this application -- and for good reason! Just about
everything of consequence that happens in this application happens because of (or to) a product. Site
visitors view products, navigate to products, and see related products. Colors and sizes that have been
assigned to a product need to be displayed along with that product.
Some of the security cleanup will be very easy, such as with the
getProduct()
function:
function getProduct($id){
$data = array();
$options = array(`id' =
>
id_clean($id)
);
$Q = $this-
>
db-
>
getwhere(`products',$options,1);
if ($Q-
>
num_rows()
>
0){
$data = $Q-
>
row_array();
}
$Q-
>
free_result();
return $data;
}
c09.indd 277
c09.indd 277
6/10/08 5:38:01 PM
6/10/08 5:38:01 PM