Preventing SQL Injection Attacks using Active Record |
[eluser]RaGe10940[/eluser]
Going off what was said earlier, you should be doing the following : 1) Always Sanitize your data. Most people will tell you to use the xss_clean but in my opinion you should stray away from that. I would rather suggest for you to use PHP's native functions : http://www.php.net/manual/en/book.filter.php Keep in mind though the CI - Validation is great so no need to use the PHP native validation functions. But in general I would use the PHP sanitation functions. 2) The CSRF for CI Is pretty good if you ask me... (update the token regularly probably around 7200 seconds - 2hours) You can also use captcha... 3) Use PDO ... PLEASE.... http://ellislab.com/forums/viewthread/218455/ and http://php.net/manual/en/book.pdo.php 4) For some reason CI doesn't mention this but there are two steps at fighting off XSS.. first its input validation -> filter input -> escape output... For some reason CI (again idk why) uses a black list approach (which is arguably bad - not going to go in depth, use google) and doesn't escape data. Using Code: htmlspecialchars($yourvariable, ENT_QUOTES, 'UTF-8'); And sorry to hear about your SQL-Injection... for more reading on PDO in CI go to ci/system/database/drivers/pdo_driver.php and set these variables : Code: function db_connect() these are found around line 94 the emulate prepares will add another layer of database abstraction. Also make sure to explicitly state a char_set. there are SQLi attacks that take advantage of even PDO because they use different char_sets.. you must explicitly state your char_set *your stating probably utf-8 which is good!* |
Messages In This Thread |
Preventing SQL Injection Attacks using Active Record - by El Forum - 05-10-2013, 02:24 PM
Preventing SQL Injection Attacks using Active Record - by El Forum - 05-11-2013, 08:21 PM
Preventing SQL Injection Attacks using Active Record - by El Forum - 05-12-2013, 08:11 AM
Preventing SQL Injection Attacks using Active Record - by El Forum - 05-14-2013, 06:45 PM
|