Professional CodeIgniter, Thomas Myer
Chapter 9: Security and Performance
279
`name' =
>
db_clean($_POST[`name'],32)
,
`status' =
>
db_clean($_POST[`status'],8)
);
$this-
>
db-
>
insert(`sizes', $data);
}
function updateSize(){
$data = array(
`name' =
>
db_clean($_POST[`name'],32)
,
`status' =
>
db_clean($_POST[`status'],8)
);
$this-
>
db-
>
where(`id',
id_clean($_POST[`id'])
);
$this-
>
db-
>
update(`sizes', $data);
}
function deleteSize($id){
$data = array(`status' =
>
`inactive');
$this-
>
db-
>
where(`id',
id_clean($id)
);
$this-
>
db-
>
update(`sizes', $data);
}
Securing the MSubscribers Model
The MSubscribers model is just as simple as MColors or MSizes. Here ' s how you would secure the
updateSubscriber()
function:
function updateSubscriber(){
$data = array(
`name' =
>
db_clean($_POST[`name'])
,
`email' =
>
db_clean($_POST[`email'])
);
$this-
>
db-
>
where(`id',
id_clean($_POST[`id'])
);
$this-
>
db-
>
update(`subscribers', $data);
}
The complete list of functions that need securing includes :
getSubscriber()
updateSubscriber()
removeSubscriber()
getSubscriber()
Securing the CSV Import Functions
At the moment, the CSV import functions in the MProducts model aren ' t very secure, in that they accept
any header provided in the spreadsheet as a valid column name. There is also no escaping being
performed on the data fields themselves.
c09.indd 279
c09.indd 279
6/10/08 5:38:02 PM
6/10/08 5:38:02 PM