| now im confused... (making user input safe) |
[eluser]timaksu[/eluser]
i keep running into more and more 'safety hazards' for when collecting input from a user to be inputted to a database. how exactly should i validate (for example) a comment post...? xss filtering, escaping etc...its too much.
[eluser]oddman[/eluser]
Filtering and escaping you shouldn't have to worry about if you're creating the record using CI's ActiveRecord methods. Just ensure that you're doing that correctly.
[eluser]timaksu[/eluser]
so far i got this for inserting a comment into a database..: Code: $job_Id = $this->input->post('job_id');(the getviaid bit checks to see if the job exists. each comment is assigned to a job (which would be like a forums equivalent of a thread. )) [quote author="oddman" date="1240473978"]Filtering and escaping you shouldn't have to worry about if you're creating the record using CI's ActiveRecord methods. Just ensure that you're doing that correctly.[/quote] can you expand on that? thats the sort of answer im getting from whereever i read. why shouldnt i need to filter + escape? and if i dont have to do any of that, what do i have to ensure im doing correctly??
[eluser]oddman[/eluser]
Hi Tidus, Have you had a read of: http://ellislab.com/codeigniter/user-gui...tml#insert ? This details pretty much what you need to do, and as stated in the docs - CI's ActiveRecord will protect the data you're creating, without you having to do anything. Hope that helps. edit: PS - what you're doing is fine 
[eluser]timaksu[/eluser]
well ok, thanks. just alot to be worried about 8-/ by the way, should i activate XSS filtering? i dont entirely understand what that is, either. $data = $this->input->xss_clean($data); or is that also handled?
[eluser]oddman[/eluser]
XSS I'm fairly certain (but don't quote me on this) stands for cross-site scripting. What that means is, you don't want variables you can put in a form or via a URL being output to a page, unless it's protected from this sort of attack. Basically all you really have to do is encode all html entities, which I'm pretty sure xss_clean does. So no, for saving data you don't have to do that - but for output, you absolutely should - when the data is from an insecure source. Also, if you don't clean your data before input (ie. you allow all sorts of characters), you need to be very careful with outputting that data. Hope that helps.
[eluser]Mike Ryan[/eluser]
EDIT: The forum code doesn't like my js tags. Replace parens with "greater than" and "less than". Just adding some extra detail to oddman's post: Let's say you have a user forum and one of your competitor websites is jealous of your community's membership levels. They could post a message on your forum containing the following: Code: Blah blah, some commentNow, whenever someone views that post they will be redirected to mysite.com (assuming they have js enabled, of course :-) ). This is quite a benign example - it could include a frame with exploit code in an attempt to infect your users' computers, or read your cookies and post them to a remote server, etc. Call me paranoid, but I treat ALL user input on my site as a hostile attempt to compromise my server or my users' computers.
[eluser]n0xie[/eluser]
I think this should be simple common sense for ANY webdeveloper. 1. Treat all data entered by users as 'tainted'. This includes SESSION and COOKIE data. 2. Validate all data input to make sure it is what you expect it to be 3. Sanitize all data input whenever you store it (DB/XML/JSON). 4. Escape all data input whenever working with a DB (CI AR does this for you). 5. Filter or Escape any data when outputting it (either to a browser, cookie, session or whatever). There are zillions of articles about poor PHP security. This should be the first thing you learn whenever you want to write secure PHP code. For some pointers read this article: http://mavrck.com/blog/2009/04/05/keepin...te-secure/ |
| Welcome Guest, Not a member yet? Register Sign In |
