Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Best Practices Security Issues (input and output)
Security Issues (input and output)
  • Offline raghavgarg
    Newbie
  • *
  • Posts: 5
    Threads: 1
    Joined: Apr 2016
    Reputation: 0
#1
04-23-2016, 05:19 PM

I am new to CodeIgniter. Thanks for free registration.

I want to know the best practices for user input and outputting the data keeping security at the top priority that is how to prep the data to insert in DB and how to output the data in the HTML or JS. I want to avoid all known attack like SQL Injection, CSRF, XSS or any other.

I read about following but can't decide which one or combination is the best and when to use.
strip_tags()
filter_var()
HTML purifier
xss_clean()
csrf_protection in CI
htmlspecialchar()
Regex

Please Help.
Reply
  • Offline wishmaster
    Junior Member
  • **
  • Posts: 37
    Threads: 10
    Joined: Sep 2015
    Reputation: -1
#2
04-25-2016, 12:32 PM

(04-23-2016, 05:19 PM)raghavgarg Wrote: I am new to CodeIgniter. Thanks for free registration.

I want to know the best practices for user input and outputting the data keeping security at the top priority that is how to prep the data to insert in DB and how to output the data in the HTML or JS. I want to avoid all known attack like SQL Injection, CSRF, XSS or any other.

I read about following but can't decide which one or combination is the best and when to use.
strip_tags()
filter_var()
HTML purifier
xss_clean()
csrf_protection in CI
htmlspecialchar()
Regex

Please Help.


My short answer.
For DB I not use Active Record therefore varchar types is escaped like this
$this->db->escape($data['user_name'])

int, float data types:
(int)$data['user_id']
(float)$data['user_cash']
and so on

All values of input\textarea filds must be escaped via html_escape()
All values of input\textarea filds which will be send to the browser (output) must be filtered via xss_clean()
Small example:

Code:
if (!is_null($this->input->post('client_filial_name'))) {
                      $data['client_filial_name'] = $this->input->post('client_filial_name', TRUE);
} elseif ($client) {
                      $data['client_filial_name'] = $this->security->xss_clean($client[0]->filial_name);
} else {
         $data['client_filial_name'] = '';
}

HTMLPurifier. If you have application with untrusted zone (e.g. blog), when user could enter some malicious code and admin can view this form and this code would be executed.

strip_tags(). Iuse this function in autocomplete methods. E.g. input field usesautocomplete of name via AJAX. On the server side controller returns JSON data like below:

Code:
public function autocomplete() {
        $json = array();

        if (!is_null($this->input->get('filter_name')) && $this->input->is_ajax_request() && $this->validateAutocomplete()) {

              if (!is_null($this->input->get('filter_name'))) {
                               $data['filter_name'] = $this->input->get('filter_name');
                               $data['filter_group_name'] = true;
                       } else {
                               $data['filter_name'] = '';
                       }
                       $data['filter_limit'] = 200;

                       $results = $this->client_model->getClients($data)['clients'];

                       if ($results) {
                               foreach ($results as $result) {

                                   $json['suggestions'][] = array(
                                                                   'value' =>      strip_tags(html_escape($this->security->xss_clean($result->client_name))),
                                                                   'data' => strip_tags(html_escape($this->security->xss_clean($result->client_name))),
                                                               );
                               }
                       }
               }

               $this->output->set_output(json_encode($json));
       }


Sorry for confusion. I am tired.
Reply
  • Offline mwhitney
    Posting Freak
  • *****
  • Posts: 1,101
    Threads: 4
    Joined: Nov 2014
    Reputation: 95
#3
04-26-2016, 09:55 AM

The following is a good place to start, with some links to other solid guides to security in PHP projects:
http://www.phptherightway.com/#security

For CI-specific information, the user guide is a good resource/reference, but doesn't provide a lot of specifics on securing your site/application.

I would recommend enabling CSRF protection. If you plan to use AJAX on your site, you'll probably need to use `$this->security->get_csrf_token_name()` and `$this->security->get_csrf_hash()` to pass the necessary token/hash to your client-side code. More often than not, people encounter CSRF errors when they implement AJAX code on their site and simply disable the feature, rather than figuring out how to get it to work.

Use `xss_clean()` only when outputting data via HTML. Do not save the output of `xss_clean()` to your database or other data store (except, possibly, for short-term output caching). Do not use `xss_clean()` when outputting data in JSON, URLs, etc. `xss_clean` should never be used as a validation rule or otherwise in processing input from a form (e.g. `xss_clean($this->input->post('example'))` should never happen).

HTML Purifier is a good alternative to `xss_clean()`.

`html_escape()` is a CI-specific shortcut to `htmlspecialchars()` which sets some sane defaults, including using the character set configured for the site.

When it comes down to when and where to use each of the available functions, it's going to be highly dependent on context and the data you're dealing with. It's a huge subject, which is why I linked to other sources for that information.

Something to remember when reading about application security is that input is not just data supplied by the user in a form or URL. Input is also the data you retrieve from your database, receive from an API, or even from another part of your application in some circumstances. The same applies to output. Output is data you write to the database, text you place into an HTML page, an email, a JSON object, or you pass to another part of your application in a function call. It's far too common for people to limit their vision of input and output, leading to applying techniques in the wrong place, or incorrectly assuming that data is secure.
Bonfire
Practical CodeIgniter 3
CodeIgniter Testing Guide
Reply
  • Offline CINewb
    Member
  • ***
  • Posts: 79
    Threads: 17
    Joined: Apr 2016
    Reputation: 3
#4
04-29-2016, 07:18 AM

Just a quick one, could anyone explain why we should use xss_clean() ?

My understanding has always been that htmlspecialchars() or htmlentities() with ENT_QUOTES is enough?

Therefore isn't CI's escape_html() all that is needed to prevent XSS attacks on output?
Reply
  • Offline raghavgarg
    Newbie
  • *
  • Posts: 5
    Threads: 1
    Joined: Apr 2016
    Reputation: 0
#5
04-29-2016, 02:52 PM

(04-29-2016, 07:18 AM)CINewb Wrote: Just a quick one, could anyone explain why we should use xss_clean() ?

My understanding has always been that htmlspecialchars() or htmlentities() with ENT_QUOTES is enough?

Therefore isn't CI's escape_html() all that is needed to prevent XSS attacks on output?

Please refer to this link, you will know why htmlspechialchar and htmlentities are not foolproof.
http://php.net/manual/en/function.htmlen....php#99896

The basic idea is, it will allow the some scripts like- javascript:alert(document.cookie).
xss_clean() would handle it by replacing 
"javascript:" to "[removed]"
"document.cookie" to "[removed]"
and many more bad words like this, you can see this in system\core\Security.php.

Of course, nothing is a full solution in security field but it is one of the best tool present.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB