Welcome Guest, Not a member yet? Register   Sign In
Preventing XSS injection in querystring

(This post was last modified: 12-28-2017, 06:51 AM by jreklund. Edit Reason: Added a side note to jihob. )

Remove the second value (true), it's not recommended to strip for XSS before inserting it into the database. That can leave you open to database truncated XSS attacks. You should validate your data on what you are expecting instead. Do the user specify only e-mail? Validate against that. Only numbers? Validate against that. And so forth.
Note: In your case with only searching, it dosen't matter. But I guess you are using it on every GET/POST as well.

A note regarding your regex, if the code got UTF8 you will need to add the letter 'u' at the end of the regex. Depending on what the user supplies, it can be helpful function.

That's not a good recommendation. It will leave you open to XSS attacks in ALL html attributes. You will need to escape the data depending on where you are using it.

Here's some good resources regarding the matter. The built in html_escape in CI are the same as htmlspecialchars and should only be used in "HTML BODY" if you don't want the HTML to be rendered. For everything else you need to need to take extra precautions.

Messages In This Thread
Preventing XSS injection in querystring - by jhob - 12-19-2017, 06:34 AM
RE: Preventing XSS injection in querystring - by jreklund - 12-28-2017, 06:48 AM

Theme © iAndrew 2016 - Forum software by © MyBB