Welcome Guest, Not a member yet? Register   Sign In
Escaping data in views
#1

Hi, i have a few questions regarding escaping data and filtering data, because i am new in security issues and i want to prevent xss attacks and sql injections.

I am using CI4, so i know that with the query builder, the sql injections are prevented because it escapes automatically.

Regarding escaping in the views:
1) Every thing that is echoed needs to be escaped? using just the esc() function with the first parameter is enough? I read that if you want to escape a url, the second parameter is 'url', but i tried to escape a href with esc(base_url(..../...),'url') and when i click on that button, it doesnt redirect me to the correct page.

2) If i want to be "security cleaned" when they are submitting some form to a DB, and i do it through an ajax call, do i need to do something before calling the controller method? In the controller, i should escape/filter the variables? In the model i am using the query builder class.

3)Any other good tip is accepted. Thanks!!
Reply
#2

Use the built in urlencode(); method.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#3

We would need more info on what page it directed you to. Is it possible it is a relative URL and needed the forward slash at the beginning of the url? That would take you to a wrong location.

Escaping a URL is fine like that. It's basically a wrapper around PHP's [b]rawurlencode()[/url].

The esc function is a wrapper around the Laminas Escaper. Reading through their docs can provide more info on when you might want to use each type of escaping.
Reply
#4

(This post was last modified: 07-11-2022, 09:52 PM by ClaudeSjDevinHenry.)

As a rule, I would escape anything coming from user input, a data source or even calculations. You want the output to be predictable, escaping ensures that it is. If the value when converted to a string contains characters that break your desired markup, things would get messy.

If you're using a view, $this->escape($variableToEscape) should omegle voojio suffice.
Reply
#5

To protect against xss attack, you could use "esc" function. You may refer to this documentation https://codeigniter.com/user_guide/gener...tions.html
For preventing sql injection the data needs to be escaped. https://codeigniter.com/user_guide/datab...eries.html
Reply
#6

To prevent SQL injection try the "Escaping Queries" method:
PHP Code:
<?php
$name 
$this->input->post('uname');
$cn 'SELECT * FROM tbl_users WHERE user_name='.$this->db->escape($name);
$this->db->query($cn);
?>
There are many more methods. Don't be afraid to try other ones!
Reply
#7

> Every thing that is echoed needs to be escaped?

Yes, Unless it is guaranteed to be an HTML string that can be displayed without any problems,
and developers can easily see it is guaranteed.

> using just the esc() function with the first parameter is enough?

No, not enough.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB