CodeIgniter Forums
Cleaning my DB Input? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Cleaning my DB Input? (/showthread.php?tid=29944)

Cleaning my DB Input? - El Forum - 04-27-2010

[eluser]invision[/eluser]
Hi,

I wonder, what are the best practices for DB input?

I currently have a function/method in my Model:

Code:
function createEntry() {

        $data = array('author' => $this->input->post('author'),
            'content' => $this->input->post('comments')
        );
        // xss clean & escape sql
        // insert data
        $this->db->insert('data',$data);

    }

In my Controller I have already validated the value:

Code:
function create()
    {
    $this->load->helper(array('form', 'url'));        
    $this->load->library('form_validation');
        
    $this->form_validation->set_error_delimiters('<div class="error">', '</div>');
                    
    /* Form Validation */            
    $this->form_validation->set_rules('author', 'Author', 'trim|required');
    $this->form_validation->set_rules('comments', 'Comments', 'trim|required');  
    
    #Input and textarea field attributes
    $data["author"] = array('name' => 'author', 'id' => 'author');
    $data['comments'] = array('name' => 'comments', 'id' => 'comments');
        
                
        if ($this->form_validation->run() == FALSE)
        {        
          $this->load->view('add');
        }
        else
        {        
          $this->load->model('Guestbook_model');
          $data['cats'] = $this->Guestbook_model->createEntry();
          $this->load->vars($data);
          $this->load->view('add_success');
        }
    }

But I would like to 1) type check the value and 2) stop any XSS or SQL Injection attacks.

I'm using ActiveRecord and read somewhere I'm covered for SQL Injection, but not XSS. Is this right?


Can anyone show me how to best do this with the code provided.



Many thanks for your help.

Cleaning my DB Input? - El Forum - 04-27-2010

[eluser]steelaz[/eluser]
If you're using ActiveRecord, you should be safe against SQL Injection. To check input against XSS, there is prepping function in form validation library - "xss_clean". You can add it as ane regular rule:

Code:
$this->form_validation->set_rules('author', 'Author', 'trim|required|xss_clean');


There are a few other prepping functions - http://ellislab.com/codeigniter/user-guide/libraries/form_validation.html#preppingreference

You can also set global xss_clean checking for all user input in /config/config.php

Cleaning my DB Input? - El Forum - 04-27-2010

[eluser]invision[/eluser]
Brilliant, just what I wanted to hear.

I'm also going to now use this: http://ellislab.com/codeigniter/user-guide/libraries/form_validation.html#rulereference for Type Check functions.


Thanks for all your help.