[eluser]Unknown[/eluser]
I'm fairly new to CI and wanted to make sure I'm properly handling security concerns in my application. In line with CI’s recommended best practices, I perform the following before accepting any data into my application
1. Filter the data as if it were tainted.
- I use CI’s Cross Site Scripting filter globally by setting 'global_xss_filtering' to TRUE in the CI config file.
2. Validate the data to ensure it conforms to the correct type, length, size, etc.
- I use CI’s form validation class on all fields on all forms that contain data used to populate the database.
3. Escape the data before submitting it into the database.
- I use CI’s active record class for all database inserts, updates, and deletions. With Active Record, all values are escaped automatically producing safer queries. As for select queries, most are custom and I always escape any variables used in those queries.
Is there anything else I should be doing? Specifically, should I be using any of the functions built into php (ie: htmlspecialchars) to handle security and input data integrity? It seems like these CI functions do the trick, but I’m not sure if there’s something I’m missing.
