I use CodeIgniter for my backend and have been struggling to find a good way to pass POST or GET data to its active record functions. This week I’ve found a pretty nice filtering technique I want to share with you.
Let’s start with CodeIgniter’s user guide example of inserting data.
$data = array( 'title' => 'My title', 'name' => 'My Name', 'date' => 'My date' ); $this->db->insert('mytable', $data);
insert accepts two parameters. First is the table name
and second is the data to insert provided as an associative array
having keys as row names and values as the actual data.
The main problem is building a CodeIgniter compatible array from
POST or GET data. To create it we will use the
elements function, which is provided by CodeIgniter's
array_helper and lets you fetch a number of items from
an array. This is what I’ve come up with:
$filter = array( 'name', 'age', 'gender' ); $data = elements($filter, array_filter($this->input->post(NULL, TRUE)), NULL); $this->db->insert('person', $data);
At first we create a filter array defining which rows we want to be
inserted. You can leave out rows which you don’t want to be
influenced by user’s input provided that you’ve set up MySQL
correctly. If any of these rows are not in the POST array they will
be set to
NULL, which we have defined with the third
parameter of the
elements function. This also ensures
that fields in your database being set to
NOT NULL will
throw an mysql error and the data will be refused. You could leave
out the two parameters being passed to
post() if you
have globals XSS filtering enabled.
While this works fine for inserting data we need to add another function for updating. This is how it looks like:
$filter = array( 'name', 'age', 'gender' ); $data = array_filter(elements($filter, $this->input->post(NULL, TRUE))); $this->db->where('id', $id); $this->db->update('person', $data);
This time we leave out the third parameter of
Its default value is false, that’s why each data not provided by
POST, but required by our filter array will be set to false.
Afterwards we filter the result of elements with
array_filter, a standard PHP function, iterating over
each element of its input array and passing it to a callback
function. We haven’t provided a callback which as a result removes
every item with a false value
(null, false,'',0). As
post items being always strings
0 will still work, but not provided data won’t be
passed to the update function. To summarize only items of the filter
array will be passed to the update function if any of those are
I hope this could help you and I appreciate your feedback.
I’ve just recognized that you should use
array_filter on inserts too, but in reverse order to
avoid empty strings being inserted in fields which do not allow
NULL. I’ve updated the code sample in the article.