0

I am submitting form contents to my database with an array in Code Igniter. Here is the relevant code...

$sql= array (   
    'currency'=>$this->input->post('currency'),
    'total'=>$this->input->post('total'),
    'expenses'=>$this->input->post('expenses'),
        );
$ins = $this->db->insert('donations',$sql);

How do I escape £ signs in the currency field as it's written to the DB? I know I need to use a str_replace() with £ but can't get my head around the PHP.

square_eyes
  • 1,269
  • 3
  • 22
  • 52
  • 3
    Why do you want to HTML escape data going into the database?! – deceze Mar 28 '14 at 13:24
  • Well, I query the database later on. The £ sign came up on my webpage as a ? in a diamond. I edited the data in the database , changing £ to £ and it worked. SHould I be using a backslash instead? – square_eyes Mar 28 '14 at 13:26
  • Why is your currency an arbitrary string? – Paul Gregory Mar 28 '14 at 13:26
  • 2
    http://stackoverflow.com/questions/279170/utf-8-all-the-way-through – Mark Baker Mar 28 '14 at 13:27
  • 1
    Then 1) you have an encoding problem which you need to fix and 2) you should not escape data in a way specific to a certain output medium like HTML. What if you want to send the data in an email (non-HTML) later, for instance? – deceze Mar 28 '14 at 13:29
  • 1
    I'd suggest storing currency values as their ISO code (GBP, EUR, USD etc). They are always 3 characters and there is no ambiguity between currencies. You can always `str_replace` in your app to get the appropriate symbol for your views or just use a key->value array. – harryg Mar 28 '14 at 13:30
  • I really appreciate the comments around best practice, and I have learned from them. But I have a very specific need in this case. The field value is a string `GBP £` I won't be scaling the solution so the most simple answer actually suits me on this occasion. – square_eyes Mar 28 '14 at 20:33

3 Answers3

2

The function you are looking for is htmlentities

$sql = array (   
    'currency' => htmlentities($this->input->post('currency'), ENT_QUOTES, "UTF-8"),
    'total' => $this->input->post('total'),
    'expenses' => $this->input->post('expenses'),
);
$ins = $this->db->insert('donations',$sql);
Ian Brindley
  • 2,197
  • 1
  • 19
  • 28
0

you'd be better to just allow the value to go into the db as is eg £10.00 and then use:

 echo htmlentities($value);

when you pull it back from the db and write to the html doc

andrew
  • 9,313
  • 7
  • 30
  • 61
0

Stop.

Enter data into your database in as simple a form as possible, and sort the presentation out when you display.

More importantly, you cannot distinguish between £ meaning Pounds Sterling and £ meaning GIP.

You need to convert the input to the relevant value before inserting.

One solution (following the suggestion of harryg to use ISO codes) is this:

// pass the input to a variable
$currency_raw = $this->input->post('currency');

// potentially, process it to standardise (trim, uppercase etc)

// use a switch to set the $currency value you'll insert
switch ($currency_raw) {
 case "£":
  $currency = "GBP";
  break;
 default:
  // unrecognised currencies should error 
  $currency = "???";
}

$sql= array (   
    'currency'=>$currency,
    'total'=>$this->input->post('total'),
    'expenses'=>$this->input->post('expenses'),
        );
$ins = $this->db->insert('donations',$sql);

You could do something similar to convert GBP back to £ on display.

In large applications you may find speed and data-size benefits from storing currencies as an int, and having a look up table.

However, you probably need really to look at the form fields. You can display £ (or better, "£ (GBP)" in a dropdown but have GBP as the value submitted, which would be best all round.

Paul Gregory
  • 1,733
  • 19
  • 25