Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Best Practices Best practice of handling user's input
Best practice of handling user's input
  • Offline ikarius6
    Newbie
  • *
  • Posts: 9
    Threads: 2
    Joined: Apr 2015
    Reputation: 0
#3
02-20-2016, 03:26 PM

(02-20-2016, 01:03 PM)Geril Wrote: Hi,

I wonder what is the best and the most secured way of handling user's input. Basically I have form for user's profile made by form helper like this: 

Code:
echo form_open();
   echo form_label($this->lang->line('user_update_profile_first_name'), 'first_name');
   echo form_input(array('type' => 'text', 'name' => 'first_name', 'id' => 'first_name', 'maxlength' => '255', 'required' => 'true', 'value' => set_value('first_name', $user_profile['first_name'], false)));

   echo form_label($this->lang->line('user_update_profile_last_name'), 'last_name');
   echo form_input(array('type' => 'text', 'name' => 'last_name', 'id' => 'last_name', 'maxlength' => '255', 'required' => 'true', 'value' => set_value('last_name', $user_profile['last_name'], false)));

   echo form_label($this->lang->line('user_update_profile_birth_date'), 'birth_date');
   echo form_input(array('type' => 'text', 'name' => 'birth_date', 'id' => 'birth_date', 'maxlength' => '255', 'required' => 'true', 'value' => set_value('birth_date', $user_profile['birth_date'],

   echo form_submit(array('value' => $this->lang->line('user_update_profile_form_submit'), 'name' => 'submit', 'class' => 'btn btn-primary'));
echo form_close();

As you can see in my code I am skipping xss filtering provided in set_value function due to xss filtering is done in form_input() already. My Controller function for inserting data in DB looks like this:

Code:
$validation_rules = array(
   array(
       'field' => 'first_name',
       'label' => $this->lang->line('user_update_profile_validation_error_first_name'),
       'rules' => 'required|trim|max_length[255]'
   ),
   array(
       'field' => 'last_name',
       'label' => $this->lang->line('user_update_profile_validation_error_last_name'),
       'rules' => 'required|trim|max_length[255]'
   ),
   array(
       'field' => 'birth_date',
       'label' => $this->lang->line('user_update_profile_validation_error_birth_date'),
       'rules' => 'required|trim|max_length[255]'
   )
);

$this->form_validation->set_rules($validation_rules);
if($this->form_validation->run()) {
   $user_data = array(
       'user_id' => $this->profile_data->user_id,
       'first_name' => $this->input->post('first_name', TRUE),
       'last_name' => $this->input->post('last_name', TRUE),
       'birth_date' => date('Y-m-d',strtotime($this->input->post('birth_date', TRUE)))
   );

   if($this->user_model->update_user_profile($user_data)) {
       $view_data['success'] = TRUE;
       $new_site_language = $this->language_model->getLanguageFolderById($user_data['site_language']);
       $this->lang->load('application/user_lang', $new_site_language);

   } else {
       $view_data['server_error'] = TRUE;
   }
}

I am filtering here data from user by provided $this->input->post('', true) xss filter. In model I am inserting data to DB by active record class. I am just wondering if this is the right and secure way of handling users input if there is not needed something like htmlspecialchars() . But what happens when someone have some "special" chars in name like for example Someone O'Sombody or some names from foreign countries? I am also showing data in navbar using html_escape($this->profile_data->first_name) to prevent running users potentially dangerous code. Did I get this whole "security thing" in the right way or there should be something changed because of potential danger?

I prefer simple stuff, security = know what the fuck are you doing and what are you receiving from the user, so I do same than you do except than I build my own forms with simple html and... I filter the data I receive the next way:

Code:
//Example
$this->form_validation->set_rules('entity_id', 'entity_id', 'trim|xss_clean|prep_for_form|htmlspecialchars|is_natural');
$this->form_validation->set_rules('street', 'Calle', 'trim|required|xss_clean|prep_for_form|htmlspecialchars|min_length[2]|max_length[500]');
  • trim: to be sure than the info have no tabs, nulls or spaces
  • xss_clean: remove wierd js injections, php tags, non printable characters and a lot of kind of attacks xss (check core/Security.php )
  • prep_for_form: avoid tags/quotes break my form
  • htmlspecialchars: final hit to be complete secure than nothing is bypassing the validations

then common validations... max_length, is_natural, etc

I hope my opinion help you.
Reply


Messages In This Thread
Best practice of handling user's input - by Geril - 02-20-2016, 01:03 PM
RE: Best practice of handling user's input - by ikarius6 - 02-20-2016, 03:26 PM



Theme © iAndrew 2016 - Forum software by © MyBB