+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: Is this makes a security risk ? (/showthread.php?tid=34652)
Is this makes a security risk ? - El Forum - 10-05-2010
[eluser]BaRzO[/eluser]
Hi All,
I am using CI 1.7.2 in linux box.
This is my urls example.com/products/White-Small-Cream-Box
I am using
Code:
$str = $this->uri->segment(2);Code:
$sql = $this->db->where('product_name', $str)->get('products', 1);And if I set the config as
Code:
$config['global_xss_filtering'] = FALSE;Do I have to set it TRUE ?
Is this makes a security risk ? - El Forum - 10-05-2010
[eluser]mi6crazyheart[/eluser]
I think, if u r filtering u'r data when accessing from any form by using "xss_clean" then no need to enable it Globally. Because,XSS (Cross-site Scripting Hacks) filtering can be enabled globally, or upon request.
Is this makes a security risk ? - El Forum - 10-05-2010
[eluser]BaRzO[/eluser]
I read back again the user guide... user guide says active record is escaping the data.
but I want to be sure am I using right ?
Is this makes a security risk ? - El Forum - 10-06-2010
[eluser]kenjis[/eluser]
[quote author="Mustafa Kahraman" date="1286353859"]Hi All,
I am using CI 1.7.2 in linux box.
This is my urls example.com/products/White-Small-Cream-Box
I am using
Code:
$str = $this->uri->segment(2);Code:
$sql = $this->db->where('product_name', $str)->get('products', 1);And if I set the config as
Code:
$config['global_xss_filtering'] = FALSE;Do I have to set it TRUE ?[/quote]
Probably there is no XSS risk if you use the default permitted_uri_chars setting.
(Of couse, I couldn't guarantee no risk.)
Code:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';Because the default setting only permits above charactors in URI segment.
And to write javascript XSS code using only above charactors is difficult.