Chapter 9: Security and Performance
283
that URI segment argument through a filtering station. That way you make sure the ID is an integer, you
escape any bad stuff that might be in it, and you chop it down to size (11 characters maximum). By
passing it through that simple filter, you ’ ve greatly reduced the odds of something bad happening.
Furthermore, by doing another check after you ’ ve run the model, you ensure that you ’ re sending the
user to a legitimate page, and not some random page consisting of cryptic error messages that may or
may not give the attacker insight into your system.
What you have to do now is add this kind of intelligence to the other controllers, specifically the edit()
function of each admin controller. Why? Because you don ’ t want to give someone the ability to edit a
record that doesn ’ t exist.
First, here is the edit() function in the admin/admins controller:
function edit($id=0){
if ($this- > input- > post(‘username’)){
$this- > MAdmins- > updateUser();
$this- > session- > set_flashdata(‘message’,’User updated’);
redirect(‘admin/admins/index’,’refresh’);
}else{
$data[‘title’] = “Edit User”;
$data[‘main’] = ‘admin_admins_edit’;
$data[‘admin’] = $this- > MAdmins- > getUser($id);
if (!count($data[‘admin’])){
redirect(‘admin/admins/index’,’refresh’);
}
$this- > load- > vars($data);
$this- > load- > view(‘dashboard’);
}
}Next is the edit() function of the admin/categories controller:
function edit($id=0){
if ($this- > input- > post(‘name’)){
$this- > MCats- > updateCategory();
$this- > session- > set_flashdata(‘message’,’Category updated’);
redirect(‘admin/categories/index’,’refresh’);
}else{
$data[‘title’] = “Edit Category”;
$data[‘main’] = ‘admin_cat_edit’;
$data[‘category’] = $this- > MCats- > getCategory($id);
$data[‘categories’] = $this- > MCats- > getTopCategories();
if (!count($data[‘category’])){
redirect(‘admin/categories/index’,’refresh’);
}
$this- > load- > vars($data);
$this- > load- > view(‘dashboard’);
}
}