Isn't this not covered by the 'h()' method? Which scrubs exploit code like XSS & SQL injection from your inputs?
And shouldn't this really be done in the view not the model?
Isn't this not covered by the 'h()' method? Which scrubs exploit code like XSS & SQL injection from your inputs?
And shouldn't this really be done in the view not the model?
Good question, and I don't know the answer to it. I see where you are coming from all right - you want the _default_ behaviour to remove, or generate an error on detection of dangerous characters.
However in addition to model-based validation, look into view validation using the h() method (which purges everything silently). You wouldn't want to use it everywhere - like for instance in your signup code you definately want to be messaging to the user that their login name is unacceptable.