Professional CodeIgniter, Thomas Myer
Chapter 9: Security and Performance
278
In other places, like the
batchUpdate()
function, you ' ll need to remember that you ' re passing in
category_id and grouping strings that need to be escaped, well before they are processed by your final query:
function batchUpdate(){
if (count($this-
>
input-
>
post(`p_id'))){
$data = array(`category_id' =
>
id_clean($_POST[`category_id'])
,
`grouping' =
>
db_clean($_POST[`grouping'])
);
$idlist = implode(",",array_values($this-
>
input-
>
post(`p_id')));
$where = "id in ($idlist)";
$this-
>
db-
>
where($where);
$this-
>
db-
>
update(`products',$data);
$this-
>
session-
>
set_flashdata(`message', `Products updated');
}else{
$this-
>
session-
>
set_flashdata(`message', `Nothing to update!');
}
}
The complete list of functions that need securing includes :
getProduct()
getProductsByCategory()
getProductsByGroup()
getRandomProducts()
search()
addProduct()
updateProduct()
deleteProduct()
batchUpdate()
Securing the MSizes Model
Treat the MSizes model pretty much the same as you did MColors. The same rules apply in almost the
identical places, give or take a function name change here or there.
function getSize($id){
$data = array();
$options = array(`id' =
>
id_clean($id)
);
$Q = $this-
>
db-
>
getwhere(`sizes',$options,1);
if ($Q-
>
num_rows()
>
0){
$data = $Q-
>
row_array();
}
$Q-
>
free_result();
return $data;
}
function createSize(){
$data = array(
c09.indd 278
c09.indd 278
6/10/08 5:38:02 PM
6/10/08 5:38:02 PM