[eluser]larsonator[/eluser]
So im writing an web app using Code Igniter, The database which can contain sensitive information.
Because of this, it is an entirely closed application. What i mean by this is, the only thing available on the web app without a valid session is the login screen. And accounts are strictly controlled internally within the web app. IE, you need a valid login with sufficient permission.
This is checked in the constructor of the controller before anything is loaded.
Given my understanding of SQL Injection, it requires an available form to input various strings that might display content of a database table.
So my question is,
If the only screen someone can access without a login, does this protect the rest of the application from SQL injection.
Also, since the session is checked for a valid login every time the constructor loads (and the session is encrypted) does this protect against XSS attacks?
