Home/ Questions/Q 9202055
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T23:10:03+00:00

When I used PHP without any framework, I would validate a post with something

  • 0

When I used PHP without any framework, I would validate a post with something like this

$username = trim(mysql_real_escape_string($_POST['username']));

but in CodeIgniter I do something like

$username = $this->input->post('username');

does CodeIgniter clean the string or I have to do it?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    CodeIgniter’s input class fetches all information from $_POST via the xss_clean() filter method in the security class.

    The documentation for this method and indeed its very name suggest that this is not a query string sanitizer (as proposed in the question). Instead, CI cleverly performs the sanitization before performing queries when using the database driver and bindings.

    An adaptation of the database queries documentation under “Query Bindings”:

    $sql = "SELECT * FROM some_table WHERE id = ?";

$this->db->query($sql, array($this->input->post('id')));
    • 0