XSS attack

[eluser]Volkscom[/eluser]
when I use codeigniter security for preventing xss attack, it’s not working properly…
I set $config[‘global_xss_filtering’] = TRUE in the application/config/config.php file and I used the input class for getting the data like $this->input->post(‘usname’, TRUE);
But it is allowing the user to embed the malicious script into generated page and execute the script. For inserting the data in the database i used the codeigniter class.But it also insert malicious script like html tags,it is not filtering the html tags and the special characters. How to resolve this problem?. Is it need to set any other varible?.
Please reply it soon..

[eluser]Atharva[/eluser]
Please post your code in detail.

[eluser]Volkscom[/eluser]
I'm using this funtion in model
function insert_electricbill($ip){

$uid="";
if(!empty($_SESSION[$ip]['un']))
$uid = $this->encrypt->decode($_SESSION[$ip]['un']);
$mobile="";
if(!empty($_SESSION[$ip]['mob']))
$mobile = $this->encrypt->decode($_SESSION[$ip]['mob']);
$billdt = explode("/",$this->input->post('entry_date',TRUE));
$lastdt = explode("/",$this->input->post('ldate',TRUE));
$this->section = $this->input->post('section',TRUE);
//$this->section = htmlentities($this->section);
$this->section =strip_tags($this->section);
$this->consumer_no = $this->input->post('cno',TRUE);
$this->name = $this->input->post('cname',TRUE);
$this->bill_no = $this->input->post('bno',TRUE);
$this->bill_dt = trim($billdt[2])."-".trim($billdt[1])."-".trim($billdt[0]);
$this->bill_area = $this->input->post('barea',TRUE);
echo $this->bill_area =strip_tags($this->bill_area);
$this->last_dt = trim($lastdt[2])."-".trim($lastdt[1])."-".trim($lastdt[0]);
$this->bill_amt = $this->input->post('bamount',TRUE);
$this->net_amt = $this->input->post('namount',TRUE);
$this->ipadd = $this->input->ip_address();
$currdt = gmdate("Y")."-".gmdate("m")."-".gmdate("d");
$ip = $this->input->ip_address();

echo $this->section."----";

if (empty($uid)){
$un = "";
$usrtyp = "G";
}
else {
$usrtyp = "R";
$un = $uid;
}

$sql="SELECT * FROM electricbill where consumer_no =? and bill_no =? ";
$qry_result=$this->db->query($sql,array($this->consumer_no,$this->bill_no));

if($qry_result->num_rows()<=0){


$qry_insert="INSERT INTO electricbill (usrtyp,un,section,consumer_no,name,bill_no,bill_dt,bill_area,last_dt,bill_amt,net_amt,ipadd,currdt)values('".$usrtyp."','".$un."','".$this->section."','".$this->consumer_no."','".$this->name."','".$this->bill_no."','". $this->bill_dt."','".$this->bill_area."','".$this->last_dt."','".$this->bill_amt."','".$this->net_amt."','".$this->ipadd."','".$currdt."')";

$qry=$this->db->query($qry_insert);
if($qry){
$fstid=$this->db->insert_id();
$newtransid= $this->transid->transid_encode($fstid,"000",'08','2010');
$data_update=array("transid"=>$newtransid);
$where = array("pid"=> $fstid);
$str = $this->db->update('electricbill', $data_update, $where);
$totamt=$this->input->post('namount');

}
else { echo "sfdhsfdshgjh";}

[eluser]WanWizard[/eluser]
I think you're confused to what XSS filtering actually does.

It does NOT remove any HTML from the form field. It only strips some protential dangerous code like javascript. If you don't want HTML was well, escape it using htmlentities().

Also, you're constructing your queries manually, instead of using the query builder (ne, active record). Which means you have to make sure all data is properly escaped before inserting in the database (using mysql_real_escape_string for example), which you don't.

And while we're on the topic of security: I see you're using $_SESSION. Which either means you're using standard PHP sessions, or a 3rd party library for session instead of CI's own session library. PHP sessions are, unless you've taken special precautions, absolutely not secure. In a shared server environment even dangerously unsecure.