[eluser]royduin[/eluser]
Hi!
In the past I wrote websites in "plain php". There I used mysql_real_escape_string for every variable which I want to store in the database.
When I got something out of the database or just displaying some input I used htmlentities($string, ENT_QUOTES, "UTF-8") everywhere, expect places where I want to display it als "real html" like some pages stored in the database written in some WYSIWYG editor (that only for the staff, visitors can't).
That's doing the job and is for my opinion 100% save for SQL Injection and XSS.
Now I'm using codeigniter and want it 100% save to.
I'm using the active record class for my database work to prevent SQL injection. 100% save from SQL Injection?
And in the config I've got XSS filtering on, but that's not 100% save I think.. Or it does not want I expect.
Somebody puts something in a input like "<h1>Something</h1>" (without the quotes) and I'm going to display this, it's not escaping or something, so the H1 is on the page!
Not really an XSS problem but not what I want. So what to do?
So...
- XSS filtering in the config, on or off?
- By using the active record class, 100% save from SQL injection?
- By showing some input always run it trought htmlentities like I did before?
Or...
- When validating the input with the form validation place htmlentities in the rules? But than I don't have "clear" information in the database.. It's and output problem not an input problem..
Please help!
Thanks! Roy
