Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
unescape results?
  • Hi, when i get the db contents and print to page it escapes html and i need it to not do so...
    how to unescape? thanks
  • after this save, when you look into the database (via ie phpmyadmin) does the results seem to be escaped?
  • Jaroslav Petrusevic wrote on Thursday 11th of August 2011:
    after this save, when you look into the database (via ie phpmyadmin) does the results seem to be escaped?

    that is what i see in phpmyadmin after save: http://screencast.com/t/rSKZkEXmtZU look at msg table
  • I see you have $val(); so you have probably some validation added, show FULL method of the controller please
  • Jaroslav Petrusevic wrote on Thursday 11th of August 2011:
    I see you have $val(); so you have probably some validation added, show FULL method of the controller please

    here we go:
    public function action_noticia()
     {
      if (!Auth::check())
      {
       Response::redirect('admin/login');
       exit();
      }
      $data = array();
      $data['errors'] = false;
      if(isset($_POST['add']))
      {
       $val = Validation::factory('noticia');
       $val->set_message('required',  'O campo <strong>:label</strong> é necessário.');
       $val->set_message('min_length', 'O campo <strong>:label</strong> tem que conter no mínimo <strong>:param:1</strong> caracteres.');
       $val->set_message('max_length', 'O campo <strong>:label</strong> não pode conter mais que <strong>:param:1</strong> caracteres.');
       $val->add_field('titulo',   'Titulo',    'required|min_length[3]|max_length[255]');
       $val->add_field('pimg',   'Imagem principal', 'min_length[3]'); 
       $val->add_field('descricao',  'Descrição',   'min_length[3]'); 
       $val->add_field('texto',   'Texto',    'required|min_length[5]'); 
       //$val->add_field('inhome',   'Mostrar na página principal', NULL); 
       // run validation on just post
       if ($val->run())
       {
        $new = new Model_Noticias();
        $new->username = Auth::get_screen_name();
        $new->titulo = Input::post('titulo');
        $img = Input::post('pimg');
        if($img)
        {
         $arr = explode('/', $img);
         $arr = array_reverse($arr);
         $img = $arr[0];
        }
        $new->pimg = $img;
        $new->descricao = Input::post('descricao');
        $new->msg = Input::post('texto');
        $new->inhome = Input::post('inhome');
        $new->save();
       }
       else
       {
        foreach($val->errors() as $error)
         $data['errors'] .= $error.'<br />';
       }
      }
      elseif(isset($_POST['edit']))
      {
       $val = Validation::factory('noticia');
       $val->set_message('required',  'O campo <strong>:label</strong> é necessário.');
       $val->set_message('min_length', 'O campo <strong>:label</strong> tem que conter no mínimo <strong>:param:1</strong> caracteres.');
       $val->set_message('max_length', 'O campo <strong>:label</strong> não pode conter mais que <strong>:param:1</strong> caracteres.');
       $val->add_field('edit_id',   'ID',    'required');
       $val->add_field('titulo',   'Titulo',    'required|min_length[3]|max_length[255]');
       $val->add_field('pimg',   'Imagem principal', 'min_length[3]'); 
       $val->add_field('descricao',  'Descrição',   'min_length[3]'); 
       $val->add_field('texto',   'Texto',    'required|min_length[5]'); 
       //$val->add_field('inhome',   'Mostrar na página principal', NULL); 
       // run validation on just post
       if ($val->run())
       {
        $entry = Model_Noticias::find(Input::post('edit_id'));
        $entry->username = Auth::get_screen_name();
        $entry->titulo = Input::post('titulo');
        $img = Input::post('pimg');
        if($img)
        {
         $arr = explode('/', $img);
         $arr = array_reverse($arr);
         $img = $arr[0];
        }
        $entry->pimg = $img;
        $entry->descricao = Input::post('descricao');
        $entry->msg = Input::post('texto');
        $entry->inhome = Input::post('inhome');
        $entry->save();
       }
       else
       {
        foreach($val->errors() as $error)
         $data['errors'] .= $error.'<br />';
        $data['isedit'] = true;
        $data['edit'] = Model_Noticias::find(Input::post('edit_id'));
       }
      }
      elseif(isset($_POST['editNew']))
      {
       $val = Validation::factory('noticiaedit');
       $val->add_field('edit_id',   'ID',    'required');
       if ($val->run() && is_numeric(Input::post('edit_id')))
       {
        $entry = Model_Noticias::find(Input::post('edit_id'));
        $data['isedit'] = true;
        $data['edit'] = $entry;
        //$entry->delete();
       }
       else
       {
        $data['errors'] = "A noticia não pode ser editada! Tente novamente.";
       }
      }
      elseif(isset($_POST['apagarNew']))
      {
       $val = Validation::factory('noticiadelete');
       $val->add_field('edit_id',   'ID',    'required');
       if ($val->run() && is_numeric(Input::post('edit_id')))
       {
        $entry = Model_Noticias::find(Input::post('edit_id'));
        $entry->delete();
       }
       else
       {
        $data['errors'] = "A noticia não pode ser apagada! Tente novamente.";
       }
      }
      
      $this->template->title = 'Administração - Noticias';
      $query = Model_Noticias::find()->select('id', 'titulo')->order_by('date', 'desc');
      $data['noticias'] = $query->get();
            $this->template->content = View::factory('admin/noticia', $data);
     }
    
  • I know I'm digging up an old thread, but I have the exact same issue. I managed to avoid HTML to be escaped, but I'm now stuck with the quotes being escaped.
    Contrary to HTML, these are escaped before getting in the DB, so I guess it's part of the FuelPhp security system to prevent SQL injection. As I need this functionality to store and retrieve raw HTML, I have to says it's a pain in the *** to find another way around this (I obviously don't want to have to go with a post-treatment to unescape my data...). Anyway I'm all ears if anyone have some goog suggestions !
  • I ended up putting a simple "stripslashes(data)" in my views.
    Performance impact seems not that bad.
  • I'd like to know what your specific environment is. I don't have any issue whatsoever in storing data in the database, and I've never seen such issues. Can you give an example of input, code to put it in the database, and code used to retrieve it?
  • I have the same issue, when I save a record to DB the escape is right, but when I retrieve it and put to a view (or to a form, in my case) the content is unescaped. (I'm using ORM and Fieldsets) Example code :
    http://scrp.at/aWr Result :
    url : http://i40.tinypic.com/n31zbn.jpg
    n31zbn.jpg
  • Ehi ... I've found my problem.
    I use MAMP on OS X and it has magic_quotes_gpc enabled by default. I've turned it off and it works fine!!!
    Now in the db table I haven't any escape chars ... but is secure??? (I use the ORM)
  • Magic quotes basicly sucks and has been deprecated in 5.3.0. It doesn't offer any kind of real security and should never be relied upon. This is done by PHP to all you POST vars and thus has nothing to do with either the ORM or the query builder. The ORM relies upon the query builder which does secure queries against SQL injections. Except when you put statements in a Database_Expression object, for example with DB::expr() - those are of course not sanitated, as that's the whole point of those.
  • TIAGO CONCEICAO wrote on Tuesday 9th of August 2011:
    Hi, when i get the db contents and print to page it escapes html and i need it to not do so...
    how to unescape? thanks

    Hey, by default Fuel uses output escaping, in order to avoid it, you can pass 3rd parameter as false to view and you'll be fine like $view->set('foo', $bar, false);
    but MAKE SURE your data is SECURE :) Good luck!
  • Jaroslav Petrusevic wrote on Tuesday 9th of August 2011:
    TIAGO CONCEICAO wrote on Tuesday 9th of August 2011:
    Hi, when i get the db contents and print to page it escapes html and i need it to not do so...
    how to unescape? thanks

    Hey, by default Fuel uses output escaping, in order to avoid it, you can pass 3rd parameter as false to view and you'll be fine like $view->set('foo', $bar, false);
    but MAKE SURE your data is SECURE :) Good luck!

    yeah, data is always secure when inserted to database but i'm passing as a sql result object, is there a function to do the inverse? like that:
    $entry = Model_Noticias::find($new);
      if(!$entry)
      {
       Response::redirect('novidades');
       exit();
      }
      $data = array();
      $data['noticia'] = $entry;
            $this->template->title = 'Ver Novidade';
            $this->template->content = View::factory('novidades/ver', $data);
    
  • As the previous poster said:
    $entry = Model_Noticias::find($new);
    if ( ! $entry)
    {
        Response::redirect('novidades');
    }
    
    $this->template->title = 'Ver Novidade';
    $this->template->content = View::factory('novidades/ver');
    $this->template->content->set('noticia', $entry, false);
    
  • Harro Verton wrote on Wednesday 10th of August 2011:
    As the previous poster said:
    $entry = Model_Noticias::find($new);
    if ( ! $entry)
    &#123;
        Response::redirect('novidades');
    }
    
    $this->template->title = 'Ver Novidade';
    $this->template->content = View::factory('novidades/ver');
    $this->template->content->set('noticia', $entry, false);
    
    i try that before, and it not work
    but i found a easy solution str_replace('\\"', '"', $entry->msg);
  • I think you have another issue, because haven't seen any issues with escaped quotes in my applications sofar. I suggest you'll have a look at your database tables, and see how it's stored there, and at your code you use to accept, process and store the data. I suspect you have an encoding problem there.
  • Harro Verton wrote on Wednesday 10th of August 2011:
    I think you have another issue, because haven't seen any issues with escaped quotes in my applications sofar. I suggest you'll have a look at your database tables, and see how it's stored there, and at your code you use to accept, process and store the data. I suspect you have an encoding problem there.

    yes, i see now, data is stored incorrectly, it was already escaped in mysql as you can see in this screenshot: http://screencast.com/t/rSKZkEXmtZU im using Orm to save things, how to advoid this situation? thanks
  • The ORM doesn't escape anything. You don't have an input filter active by any chance?
  • Harro Verton wrote on Wednesday 10th of August 2011:
    The ORM doesn't escape anything. You don't have an input filter active by any chance?

    no its disabled
    /**
      * Security settings
      */
     'security' => array(
      'csrf_autoload'   => false,
      'csrf_token_key'  => 'fuel_csrf_token',
      'csrf_expiration'  => 0,
      'uri_filter'   => array('htmlentities'),
    
      /**
       * This input filter can be any normal PHP function as well as 'xss_clean'
       *
       * WARNING: Using xss_clean will cause a performance hit.  How much is
       * dependant on how much input data there is.
       */
      'input_filter'   => array(),
    
      /**
       * Whether to automatically encode (htmlentities) view data
       */
      'auto_encode_view_data' => false,
    
      /**
       * With output encoding switched on all objects passed will be converted to strings or
       * throw exceptions unless they are instances of the classes in this array.
       */
      'whitelisted_classes' => array('stdClass', 'Fuel\\Core\\View', 'Fuel\\Core\\ViewModel', 'Closure')
     ),
    
  • all i do to save form:
    if ($val->run())
       {
        $new = new Model_Noticias();
        $new->username = Auth::get_screen_name();
        $new->titulo = Input::post('titulo');
        $img = Input::post('pimg');
        if($img)
        {
         $arr = explode('/', $img);
         $arr = array_reverse($arr);
         $img = $arr[0];
        }
        $new->pimg = $img;
        $new->descricao = Input::post('descricao');
        $new->msg = Input::post('texto');
        $new->inhome = Input::post('inhome');
        $new->save();
       }
    

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion