Is this makes a security risk ?

[eluser]BaRzO[/eluser]
Hi All,

I am using CI 1.7.2 in linux box.
This is my urls example.com/products/White-Small-Cream-Box

I am using

Code:

$str = $this->uri->segment(2);

and I querying the sql like this

Code:

$sql = $this->db->where('product_name', $str)->get('products', 1);

I this sense do I have any security hole for xss or something else ?
And if I set the config as

Code:

$config['global_xss_filtering'] = FALSE;

Do I have to set it TRUE ?

[eluser]mi6crazyheart[/eluser]
I think, if u r filtering u'r data when accessing from any form by using "xss_clean" then no need to enable it Globally. Because,XSS (Cross-site Scripting Hacks) filtering can be enabled globally, or upon request.

[eluser]BaRzO[/eluser]
I read back again the user guide... user guide says active record is escaping the data.
but I want to be sure am I using right ?

[eluser]kenjis[/eluser]
[quote author="Mustafa Kahraman" date="1286353859"]Hi All,

I am using CI 1.7.2 in linux box.
This is my urls example.com/products/White-Small-Cream-Box

I am using

Code:

$str = $this->uri->segment(2);

and I querying the sql like this

Code:

$sql = $this->db->where('product_name', $str)->get('products', 1);

I this sense do I have any security hole for xss or something else ?
And if I set the config as

Code:

$config['global_xss_filtering'] = FALSE;

Do I have to set it TRUE ?[/quote]

Probably there is no XSS risk if you use the default permitted_uri_chars setting.
(Of couse, I couldn't guarantee no risk.)

Code:

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

Because the default setting only permits above charactors in URI segment.
And to write javascript XSS code using only above charactors is difficult.