Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming permitted_uri_chars in application/config.php not working [serious vulnerability]
permitted_uri_chars in application/config.php not working [serious vulnerability]
  • El Forum
    Guest
  •  
#7
06-16-2011, 11:07 AM

[eluser]Keat Liang[/eluser]
$this->db->limit($limit, $offset);

is belong to active record. and it should be automatically escape value.

i protecting the search variable because it is using custom where clause
Code:
$this->db->where("(user_id  LIKE '%$like_str%' OR
                 username LIKE '%$like_str%' OR
                 name     LIKE '%$like_str%')");
because of custom where clause is not escaped. manual escape is required.

these where clause below will automatic escape
since in the user guide says:
http://ellislab.com/codeigniter/user-gui...ecord.html
Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system

Code:
//auto escape yay !
$this->db->where('name', $name);
$this->db->where('name !=', $name);

$array = array('name' => $name, 'title' => $title, 'status' => $status);
$this->db->where($array);

//but not this
$this->db->limit(); // does not escape

by combine both uri exploit allow some illegal character and the limit function does not escape value
then other ppl assume is safe....

CI still awesome !

sorry for my poor english Smile


Messages In This Thread
permitted_uri_chars in application/config.php not working [serious vulnerability] - by El Forum - 06-16-2011, 11:07 AM



Theme © iAndrew 2016 - Forum software by © MyBB