Welcome Guest, Not a member yet? Register   Sign In
Striping malicious code from inputs
#1

[eluser]Craig Ward[/eluser]
Whats the best way to strip malicious data from inputs/textareas?

I have tried the following which doesn't seem to get any results
Code:
$this->form_validation->set_rules('comments', 'Comments', 'strip_tags|trim|xss_clean|htmlspecialchars|encode_php_tags');


But the following code works well.
Code:
$_POST['comments'] = htmlspecialchars(strip_tags(encode_php_tags($_POST['comments'])));

I was hoping the CI security helpers would be of use but they don't seem to be doing anything useful.

Whats the best way to implement this using CI 2.0?
#2

[eluser]Ochetski[/eluser]
Well... you are not using all CI can give you, for example language support on your field name or custom validation methods.


Not related but I also recommend you to use UTF-8 encoding to your DBs, Content-type and Header configs.
I've used htmlspecialchars sometime ago for japanese chars, but figured out that it just messed my chars, when you look for it on the database you have to transform the search also, and some computers/OS may have problems understanding all your chars.
#3

[eluser]Craig Ward[/eluser]
I realise I maybe using it incorrectly, as none of the "strip_tags|trim|xss_clean|htmlspecialchars|encode_php_tags" seem to work. What I am looking for is an example of what to implement to prevent malicious data being entered into input boxes.
#4

[eluser]Ochetski[/eluser]
To only clean malicious code you can use:
Code:
$data = $this->input->xss_clean($data);

This you were using will only works after you run like this:
Code:
$this->form_validation->set_rules('comments', 'Comments', 'strip_tags|trim|xss_clean|htmlspecialchars|encode_php_tags');
if($this->form_validation->run())
{
   # all rules passed ok (returned true)
} else {
   # any returned false
}


For more detailed explanation you can see here: http://ellislab.com/codeigniter/user-gui...ation.html
#5

[eluser]Craig Ward[/eluser]
This problem is I am still getting data I don't want.

for example.

If I enter the following into a text box
Code:
value="<?=$_POST['first_name'];?>"
<img src="http://ellislab.com/images/avatars/uploads/avatar_225565.png" />

and use the following validation in my controller
Code:
$this->form_validation->set_rules('comments', 'Comments', 'xss_clean|htmlspecialchars|strip_tags|encode_php_tags');

the $_POST data contains

Code:
["comments"]=> string(150) "value="&lt;?=$_POST['first_name'];?&gt;"

<img src="http://ellislab.com/images/avatars/uploads/avatar_225565.png" />"


What I actually want to get is the following

Code:
["comments"]=> string(150) "valuefirst_namehttpellislab.comimagesavatarsuploadsavatar_225565png"

Is there a function in codeigniter that I can use or am I going to have to create one?
#6

[eluser]Craig Ward[/eluser]
The best way around this I can find is the following

Code:
$_POST['comments'] = preg_replace("/[^a-zA-Z0-9\s]/", "", $_POST['comments']);
#7

[eluser]Ochetski[/eluser]
Thats right, you can try a regexp.

"/[a-zA-Z0-9 ._]/siU" should work, adding "." and "_" and replacing "\s" for " ". Because "\s" also matches "\t", "\r" and "\n". I guess you don't want tabulation and like breaks.

If you want to add this method as a validation of the form you can use callback functions also explained here: http://ellislab.com/codeigniter/user-gui...ation.html
#8

[eluser]Craig Ward[/eluser]
Excellent, just created a call back function and everything working Smile

Thanks for the help
#9

[eluser]Ochetski[/eluser]
Woohoo!
You're welcome.




Theme © iAndrew 2016 - Forum software by © MyBB