Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Security in post/get
Security in post/get
  • El Forum
    Guest
  •  
#1
05-11-2009, 03:53 PM

[eluser]ClaudioX[/eluser]
Hi all,

I'm using $this->input->post("field", TRUE), to protect the system, but, I think the function does not do everything that I thought would.

I'm doing one seach page, the user write the word in one input, after the sumit, i do one echo in the value of the input, as a test, I wrote "script alert("hello") /script", and the alert work on...

there is something in the framework that implements the slashs, trim, htmlentities? if not, what security do you advise me?

And really thanks to David Pennington, for this video about security. Thanks man!
  • El Forum
    Guest
  •  
#2
05-11-2009, 07:10 PM

[eluser]Thorpe Obazee[/eluser]
Do you mean you tested writing:
Code:
script alert(“hello”) /script

or

Code:
<script> alert(“hello”) </script>

?

EDIT: I actually tried it and it didn't work as the xss filter would replace the word '<script>' and '</script>' with '[removed]'




Theme © iAndrew 2016 - Forum software by © MyBB