Welcome Guest, Not a member yet? Register   Sign In
Protection from SQL-injections and XSS-atacks
#11

And i want to ask more specific question - at which point do i need check user's input for xss and html tags.
Input or output?

I see here could be a problem- for instance i wanna use htmlspecialchars.
If i use it on input stage - amount of characters could exceed maximum amount of characters in DB.
Or do i need call htmlspecialchars with every echo in the code? (of course that works with data that could go from the user's input)


And second one - hot to properly protect site from Second-order SQL injection?
Reply
#12

(07-22-2017, 08:40 AM)glorsh66 Wrote: And i want to ask more specific question - at which point do i need check user's input for xss and html tags.
Input or output?

I see here could be a problem- for instance i wanna use htmlspecialchars.
If i use it on input stage - amount of characters could exceed maximum amount of characters in DB.
Or do i need call htmlspecialchars with every echo in the code? (of course that works with data that could go from the user's input)


And second one - hot to properly protect site from Second-order SQL injection?

on the output and not on the input
Reply
#13

Does CI automatically check data that goes into view?
Reply
#14

Check for what exactly. But No. How exactly would CI know what you are intending to do with the data?
Reply
#15

(This post was last modified: 07-23-2017, 06:45 AM by glorsh66.)

So in general case i need to put raw data to the database (using query builder, to prevent sql-ijections), and in the view before echo call PHP function - htmlspecialchars, on each peace of data that comes from user?. Am i correct?
Reply
#16

(This post was last modified: 07-23-2017, 06:57 AM by PaulD.)

Yes.

But you should validate data on input. So if you are expecting an integer, you validate it as an integer, etc.

When outputting user created data to a view, you have to be careful. So yes, usually you would use html_entities just to stop them using </div> to break your site or worse of course.

I am no expert on this myself so please do not let your security research end there.
Reply
#17

The main part of our app generates HTML markup so we have to allow HTML input on certain routes. We turn XSS filtering on globally and disable it for routes that require HTML input. On routes we accept HTML we use HTMLPurifier.
Reply
#18

(07-13-2017, 11:33 AM)ciadmin Wrote: Hmmm - ActiveRecord hasn't been a thing for several years now ... renamed the Query Builder in CI3.

It sounds like you might have overlooked the user guide section dealing with the problems you mention ... https://www.codeigniter.com/user_guide/l...urity.html

Sorry to revive an old thread, but I wanted to ask if using actual SQL with ? placeholders is safe from SQL injection attack, as opposed to ActiveRecord / QueryBuilder?

For example, doing something like this:

PHP Code:
$sql 'SELECT * FROM users WHERE userId = ?';
$query $this->db->query($sql, array($userId)); 

Would the above be immune to SQL injection attacks?  Or do I need to still escape or do something extra?

The reason we use these is for some complex queries, we can test the SQL directly in PhpMyAdmin or something to ensure it is getting the right data results, and then simply copy/paste the SQL as the query and just replace the values with ? placeholders.

Thank you for your help.
Reply
#19

(08-25-2017, 09:52 PM)rjrj2000 Wrote: Sorry to revive an old thread, but I wanted to ask if using actual SQL with ? placeholders is safe from SQL injection attack, as opposed to ActiveRecord / QueryBuilder?

It's safe. You can look up functions in the user guide.
https://www.codeigniter.com/user_guide/d...y-bindings
Reply




Theme © iAndrew 2016 - Forum software by © MyBB