+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Good practice for xss_clean and escape string (/showthread.php?tid=26102)
Good practice for xss_clean and escape string - El Forum - 01-06-2010
[eluser]esset[/eluser]
I got a general Q about CI and good code practice with security.
Do you guys run XSS_cleaning on all your POST variables for inserting to the database?
Also do you always escape your strings when performing querys?
If not, whats your suggestion/ or rules for doing so. Is there any good guidelines when these to security meassures should be taken into consideration?
Thanks
Good practice for xss_clean and escape string - El Forum - 01-06-2010
[eluser]rogierb[/eluser]
Yes and yes. :-)
I set $config['global_xss_filtering'] = TRUE;
And only try to use AR so it gets escaped automatically. If I use a normal sql query, I escape everything.
On inserts and updates I cast variables aswell.
Code:
$insert['some_int'] = (int) $this->input->post('some_id');
$insert['some_string'] = (string) $this->input->post('some_string');Good practice for xss_clean and escape string - El Forum - 01-06-2010
[eluser]esset[/eluser]
Thank you sir!
Good practice for xss_clean and escape string - El Forum - 01-06-2010
[eluser]Random dude[/eluser]
Casting, thats a very interesting one.
I suppose the db function with throw an error if the type doesn't cast properly.
Speaking of, does CI have an mechanism for handling exceptions? or should I study up more on my php? (I am in the process of doing this).
Good practice for xss_clean and escape string - El Forum - 01-17-2010
[eluser]ururk[/eluser]
I've found that in a few instances AR doesn't properly detect the type of value, and doesn't put ticks around a string - as an example, importing XML into a DB record (simplexml_load_string), I loop through the loaded XML:
$title = $xml->title;
when inserting, $title, AR didn't put single-quotes around the string, and the query was invalid.
This worked:
$title = (string) $xml->title;
YMMV, could have been my server.