XSS Filtering did detect this!

[eluser]Fierymind[/eluser]
Hi,

I have used Security Scan services from McAfee to scan one of my applications done with CI.

I have very small form, where the user put his domain name and system retrieve and send the login info to domain holder.

the "forgot password" POST to this function

Code:

function send_acct_num()
    {
              $domain = $this->input->post('account_domain',TRUE);
              $account = $this->accounts->get_account($domain); // DB query with active record done here

but when McAfee send

x';",)`

in account_domain field, a raw error is displayed which show some of DB schema.

so what happen is both INPUT XSS filter and Active Record did not clean the request? is that expected?

[eluser]Jelmer[/eluser]
First read up on what XSS means, for example on Wikipedia.

This isn't a XSS attack, this is a SQL injection attack. In order to know what the problem is we would need to see what your DB query looks like. I'm guessing you're not using AR but $this->db->query()? AR should prevent injection attacks.

[eluser]Fierymind[/eluser]
I have to admit .. this is the only query in the whole project that does not use AR!!
after converting to Active Record the query is skipped and no schema got displayed and McAfee is happy now