Professional CodeIgniter, Thomas Myer
Chapter 9: Security and Performance
282
echo $FDATA . "\n";
if ($error[$FIELD] == false){
echo form_hidden("line_$key"."[".$FIELD."]",$FDATA);
}else{
echo "
&
nbsp;";
}
echo "
<
/td
>
\n";
}
}
echo "
<
/tr
>
\n";
}
?
>
<
/table
>
<
?php
echo form_hidden(`csvgo',true);
echo form_close();
}else{
echo "
<
h1
>
We detected a problem...
<
/h1
>
";
echo "
<
p
>
No records to import! Please try again.
<
/p
>
";
}
?
>
Handling Exceptions in Controller Functions
Once you have all of this work in place, you have a much more secure environment, at least when it
comes to handling user input. However, you ' ll notice a few idiosyncrasies. For example, if you ' re
visiting the site and try to visit a product page with a really large number, what do you think happens?
Well, at this point, you ' re processing the
getProduct()
function with your new
id_clean()
function,
so no harm can happen.
At this point, if you try to open up product/138939018830190938 or some other nonsensical number
(or even /product/iamhackingyou), then you ' ll get sent back to the home page. Why? Because in your
Welcome controller, you created the
product()
function in such a way as to send any visitors, who are
trying to visit a non - live product, back to the home page:
function product($productid){
$product = $this-
>
MProducts-
>
getProduct($productid);
if (!count($product)){
redirect(`welcome/index','refresh');
}
//function continues. . .
}
In other words, you ' re using the passed - in argument to the
getProduct()
function to figure out which
product to get from the database table. This model function automatically passes that ID argument
through the custom
through the custom
id_clean()
function added to the helper extension file.
If no record is retrieved from the database, then the
$product
array will be empty and will therefore not
pass the
count()
test. (You ' re doing a similar test in the
category()
function.)
Some may argue that sending users back to the home page is a silly idea, that what you should be doing
is sending them on to a custom 404 page, but the point is moot. Yes, you ' re doing a good thing by passing
c09.indd 282
c09.indd 282
6/10/08 5:38:03 PM
6/10/08 5:38:03 PM