CodeIgniter form helper text input fields causing html parsing

Question

I am using CodeIgniter and on an edit form its pulling in data from the database. Sometimes this data contains apostrophes, ampersands etc..

How can i get CI to not parse this and change it to HTML version so end users can edit it.!

This is an image of the edit form, this text field has data pulled in from the database and populated into the input text field. The data does not contain any special chars as you can see in the second image below.

Here is a screenshot of how the data looks in the table, note i am only pulling from the far right column. Not the 4th column:

As you can tell the data isnt being stored as html converted, yet CI is still converting it.

Here is a snippet of the above text field:

<?php    
/**
 * Form Field attribute settings
 * @author Mike DeVita
 */
$companyname = array(
    'name'  => 'companyname',
    'placeholder' => 'Enter Your Companies Name',
    'id'    => 'companyname',
    'value' => set_value('', $points['pointFields']['companyname']->uf_fieldvalue),
    'maxlength' => 80,
    'size'  => 30
);
            <div class="_100">
                <p><?php echo form_label('Company Name', $companyname['id']); ?><?php echo form_input($companyname); ?></p>
                <?php echo form_error($companyname['id']); ?>
            </div>

Here is a snippet of the insert to database:

function addUserFieldHtml($compiledHtml){
    foreach ($compiledHtml as $cHK => $cHV){
        $data = array (
            'pointid' => $cHV['pointId'],
            'timestamp' => time(),
            'html' => $cHV['html'],
            'fieldid' => $cHV['fieldId'],
            'fieldvalue' => $cHV['fieldValue']
        );
        $this->db->insert('userfields', $data);

    }
}#end addUserFieldHtml() function

Thanks

Answer 1

The issue is here:

$companyname = array(
    'value' => set_value('', $points['pointFields']['companyname']->uf_fieldvalue),
);

set_value() converts some characters to entities, and should only be used in raw HTML - not passed to any of the form helper functions, like so:

<input name="email" value="<?php echo set_value('email'); ?>">

This will call the form_prep() function which escapes the input string, something like this:

<input name="username" value="<?php echo form_prep($row->username); ?>">

So just change your config for value to this:

$companyname = array(
    'value' => $points['pointFields']['companyname']->uf_fieldvalue,
);

...and when used with form_input() or any of the other form helper functions for displaying an input, the value will be escaped properly for you. For example:

echo form_input('myinput', '</div>"someJunkInput"<?php'); // Good to go

Answer 2

CodeIgniter handles magic quote automatically in post variable and ensures that post variable does not carry any extra slash.

Hence you must ensure that you pass the data through addslashes() before running the query using simple_query() or query(). This ensures that your query is ok and not subject to sql injection. Do not use htmlspecialchars() or htmlentities() before database insert. That is a wrong practice.

However if you use $this->db->insert(); or $this->db->update() you do not need to apply addslashes() on post data.

Now before rendering data, use htmlspecialchars() in view. This will give you protection against XSS attack.

<input value="<?php=htmlspecialchars($val)?>" type="button">