Chapter 9: Security and Performance
278
In other places, like the batchUpdate() function, you ’ ll need to remember that you ’ re passing in
category_id and grouping strings that need to be escaped, well before they are processed by your final query:function batchUpdate(){
if (count($this- > input- > post(‘p_id’))){
$data = array(‘category_id’ = > id_clean($_POST[‘category_id’]) ,
‘grouping’ = > db_clean($_POST[‘grouping’])
);
$idlist = implode(“,”,array_values($this- > input- > post(‘p_id’)));
$where = “id in ($idlist)”;
$this- > db- > where($where);
$this- > db- > update(‘products’,$data);
$this- > session- > set_flashdata(‘message’, ‘Products updated’);
}else{
$this- > session- > set_flashdata(‘message’, ‘Nothing to update!’);
}
}The complete list of functions that need securing includes :getProduct()getProductsByCategory()getProductsByGroup()getRandomProducts()search()addProduct()updateProduct()deleteProduct()batchUpdate()Securing the MSizes Model
Treat the MSizes model pretty much the same as you did MColors. The same rules apply in almost the
identical places, give or take a function name change here or there.function getSize($id){
$data = array();
$options = array(‘id’ = > id_clean($id) );
$Q = $this- > db- > getwhere(‘sizes’,$options,1);
if ($Q- > num_rows() > 0){
$data = $Q- > row_array();
}
$Q- > free_result();
return $data;
}function createSize(){
$data = array(