Securing applications

[eluser]Billy Khan[/eluser]
As a rule, i xss_clean all data passed into codeigniter from POST/GET forms and URLS.

Is this enough?, having done this and basic data validation can i assume the application is secure as it can be? Or should i also be escaping them using db->escape as well as native mysql PHP functions.

[eluser]Mark van der Walle[/eluser]
You should always escape data before inserting it into the database. Either by using active-record or db->escape_str().

[eluser]manilodisan[/eluser]
It's never enough. Sometimes XSS will have to be disabled because you might wanna keep the posted content intact (javascript tutorials?!). It's good to use a function to escape the queries at model level (when they are executed)

[eluser]Negligence[/eluser]
Cleaning input is just one part of securing an application. You also need to make sure that all the values your passing around (such as record ID's) are valid and belong to the right owner/user if necessary.

You need to make people can only access the pages their allowed to. And the list goes on...

It's not enough to sanitize input and think your application is safe, although that seems to be common practice.

[eluser]Billy Khan[/eluser]
I check for valid id's etc for users who like to alter urls to see what happens.
I xss clean as well as use active record, if active record isnt possible then i query bind.
I dont use b->escape_str() as i thought active record took care of that, is that correct?

[eluser]drewbee[/eluser]
That is correct, Bohboh.

All of the following types are properly escaped automatically:

$data = array('test' => 'bah');
$this->db->insert('table', $data);
$this->db->update('table', $data);
$this->db->delete('table', $data);

and of course binding...

$this->db->query("SELECT col FROM table WHERE col = ?", array('value'));