Security issue - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21) +--- Thread: Security issue (/showthread.php?tid=24906) |
Security issue - El Forum - 11-24-2009 [eluser]nebulom[/eluser] I'm updating code and pass some values with single quote. Code in the model is like Code: function updateDiscussion($id) { But when I do that, it still can't escape correctly. It returns like Quote:UPDATE "EES_BPC_DISC" SET "LAST_UPDATE_DATE" = sysdate, "COMMENTS" = ''So if i put automatic Xss-filtering i will prevent sql ... It's a very good security practice to escape your data before submitting it into your database. ... to escape the string using the character set of the database. ...'', "LAST_UPDATE_BY" = 'EES_ADMIN' WHERE "ID" = '1'Why 2 single quotes? It should be in the "It's" that has 2 single quotes. Any clarification? I'm a bit lost here. Thanks. Security issue - El Forum - 11-24-2009 [eluser]Colin Williams[/eluser] It's probably not a single quote, but a non-encoded single quote entity (’ or ‘, just not ecsaped) You might encounter this if you are pasting from a word processor Security issue - El Forum - 11-24-2009 [eluser]nebulom[/eluser] I don't know. I tried typing "hello' world" and it still fires the error. Here's without the escape Quote:UPDATE "EES_BPC_DISC" SET "LAST_UPDATE_DATE" = sysdate, "COMMENTS" = 'hello' world', "LAST_UPDATE_BY" = 'EES_ADMIN' WHERE "ID" = '1'and with Code: $data = array( Quote:UPDATE "EES_BPC_DISC" SET "LAST_UPDATE_DATE" = sysdate, "COMMENTS" = ''hello' world'', "LAST_UPDATE_BY" = 'EES_ADMIN' WHERE "ID" = '1'I'm with oci8. Does that count? Thanks. Security issue - El Forum - 11-24-2009 [eluser]nebulom[/eluser] I think it's with the oci8 driver. Tried testing it with MySQL and it works fine. I'm with CodeIgniter 1.7.1. Anyone knows what's going on? Thanks. Security issue - El Forum - 11-25-2009 [eluser]nebulom[/eluser] I've added the Code: // escape single quotes and double quotes Code: function escape_str($str, $like = FALSE) |