I am using codeigniter form validation and i have set some rules for my form fields. When i type %50 or %test% , I don't get the rest of the texts posted after the first occurrence of % character.
Please help how to solve this.
remove the 'xss_clean' rule.
consider your text box /textarea's name would be, 'mine'
$this->form_validation('mine','Mine', 'trim|required|xss_clean');
to
$this->form_validation('mine','Mine', 'trim|required');
xss clean prevent scripts and encode.
Codeigniter validation library for v3.1.4. Click here
Also use second parameter "true" for input filter:
$this->input->post('data', true);
$this->input->get('data', true);
Related
I am a beginner codeigniter developer and need your help.
I have a form that the is submitted to a function in the controller and I want to apply the form_validation library rules on the post data received from the form.
All I need to know is this:
Does $config['global_xss_filtering'] switch in input class do the same job as xss_clean rule in form_validation class?
Yes it's same. If you have enabled $config['global_xss_filtering'] through the config file you don't have to call xss_clean in form validation,
but if you have switched off $config['global_xss_filtering'], you have to call xss_clean in form validation and also you have to add additional parameter (TRUE or FALSE) in input->post function as well in order to do xss filtering. see below.
$name = trim($this->input->post('name',TRUE));
This will be helpful if you are using WYSIWYG editor in your application, then you have to switch off $config['global_xss_filtering'] and you have to pass additional parameter in input->post function like above, TRUE - for enable filtering and FALSE for disabling (Wherever you use WYSIWYG editor).
CodeIgniter provides a couple of convenient APIs for XSS filtering.
'global_xss_filtering' in config.php.
'xss_clean' rule for individual fields, when using the form validation library.
If you use this feature, does it avoid the need to escape fields when outputting them?
There are some situations where xss_clean will not protect you. Issue 470 includes this example:
public function index()
{
$name = $this->security->xss_clean('hover me" onmouseover=alert("XSS2") "');
echo '</div>Name:<input value="'.$name.'">';
echo '</body></html>';
}
The response from developers was that this is by design, and to suggest that $name should have been escaped using form_prep().
If you use set_value('field-name', 'default') in order to preserve user input when a form fails validation), that will ... attempt to call form_prep() for you. The caveat is that if you don't have the form validation library loaded, it won't escape the 'default' parameter. (Issue 1781, fixed in 3.0-dev).
If you are running the current 3.0-dev, then form_prep() is more specific about which characters it escapes. It should avoid XSS either way; it just has unexpected results in some situations. E.g. if you try to enter a literal "&" in 3.0-dev, and then the form fails validation, the field value will change to & without warning. This change was an attempt to work around problems with double-escaping (issue 1953).
I have a form validation rule of something like this
$this->form_validation->set_rules('name', 'Name', 'trim|required|strip_tags|xss_clean|callback__name_check');
Now if anyone enters <p></p> or equivalent (empty tags), the result will be empty, but somehow required rule will pass as well, resulting in blank name when inserting to database.
I can do an extra check before inserting, but I wonder if there's a way in CI to prevent that?
Thanks
Have you tried to switch required and strip_tags in this rule?
$this->form_validation->set_rules('name', 'Name', 'trim|strip_tags|required|xss_clean|callback__name_check');
Try to delete the strip_tags rule (not appear in the codeigniter user guide) and try with:
$this->form_validation->set_rules('name', 'Name', 'trim|required|prep_for_form|xss_clean|callback__name_check');
I think that this is usefull for you
User guide says:
prep_for_form
Converts special characters so that HTML data can be shown in a form field without breaking it.
http://codeigniter.com/user_guide/libraries/form_validation.html
I am using Codeigniter form validation. In my registration form the Username field allows only numbers like 123456. I don't want this to happen.
My validation rule is as follows
'rules'=>'trim|required|alpha_numeric|min_length[6]|xss_clean'
I want to prevent users entering just numeric strings. Alpha numeric strings are fine, alpha strings are fine, but purely numeric ones are not.
To allow only letters
Add alpha to your rules and remove alpha_numeric from your rules
You can use this page as a point of reference for built in validation rules.
Edit:
Since you've clarified now.
To achieve this, there's no built in validation rule. You will need to extend the Form_validation library by creating a libraries/MY_Form_validation.php file. See this manual page on how to extend libraries.
In this file, create the following function
function at_least_one_letter($string) {
return preg_match('#[a-zA-Z]#', $string);
}
Then you can add the validation rule at_least_one_letter to your rules.
According to the codeigniter user manual :
You can also use any native PHP functions that permit one parameter.
I think in this case is_int could be used as your validation rule.
So, for instance:
'rules'=>'trim|required|is_int|min_length[6]|xss_clean',
I have an e-mail field which is -not- required in my form validation. It should be able to be left blank. However, when I use the "valid_email" parameter of the form validation's set_rules, it still gives an error message that the e-mail is not valid when it's not supposed to check this if the field has not been filled out.
Rule Reference
Checking the reference on this matter tells us the following regarding the valid email rule:
Returns FALSE if the form element does not contain a valid email address.
This would be true of an empty field, as well as a field with bad values.
Trimming
I notice in the examples provided by CodeIgniter that emails are usually not only required, and required to be valid emails, but are also trimmed. This may result in a different outcome.
$this->form_validation->set_rules('email', 'Email', 'trim|required|valid_email');
During the validation process, the following is considered:
// If the field is blank, but NOT required, no further tests are necessary
if ( ! in_array('required', $rules) AND is_null($postdata))
It may be the case that the contents of your email field aren't exactly null, and are therefore raising flags with the valid_email requirement.
Possible Related Bugs
Three months prior to the date of this answer there was discussion on bitbucket regarding this very topic. The discussion can be viewed at https://bitbucket.org/ellislab/codeigniter-reactor/issue/117/input-fields-are-automatically-required.
It's stated that using array-syntax (see below) in the markup results in similar errors even when the required rule is not set:
<input name="user[email]" />
Further discussion, and patches, are available here, http://codeigniter.com/forums/viewthread/159243. One suggest patch that seems to solve the issue is to replace the is_null() call with empty() in the aforementioned code:
So the following:
if ( ! in_array('required', $rules) AND is_null($postdata))
Becomes:
if ( ! in_array('required', $rules) AND empty($postdata))
according to https://codeigniter.com/user_guide/libraries/validation.html?highlight=validation#id28
use permit_empty this
Allows the field to receive an empty array, empty string, null or
false
so your code looks like this:
$this->form_validation->set_rules('email', 'Email', 'permit_empty|valid_email');
You just have to appreciate that '' IS not a valid e-mail address. If you don't want to validate some postdata and don't care if it's empty, you shouldn't set a rule on it, like so:
if($this->input->post('item'))
{
$this->form_validation->set_rules('item', 'Item number', 'trim|alpha_numeric|max_length[30]');
}
In this case, if there is nothing submitted for 'item', no rule is added, so the rest of the data would go on to validation stage etc. as normal.