| Best way of safely outputting user submitted content |
[eluser]jakub[/eluser]
Today I found myself trying to think, what if for some reason my code is sql injected and a comment or a user post starts loading javascript or does something else. I want to be able to sanitize output. Appart from my input security, is there something I should consider like: Code: sanitize_output($post['comment']);or does CI handle this for me? I'm stripping things like common tags, but I'm concerned what if someone uses Cyrillic or alphabet to inject something. Guess I'm looking for best case of outputting user content, I'm already securing the input/submit, I want to make sure the output is handled as well. Thanks!
[eluser]Aken[/eluser]
If you sanitize the input before you save it, you won't need to worry about the output.
[eluser]jakub[/eluser]
[quote author="Aken" date="1328566958"]If you sanitize the input before you save it, you won't need to worry about the output.[/quote] Alright but case-in-point, what if I'm hit with a mysql injection attack, and data IS changed. I'm still asking is there a CI method to sanitize/clean output. I'm not looking for reasons not to do it.
[eluser]InsiteFX[/eluser]
Never, never, never trust user input! Just use CI's input->post and xss_clean see the TRUE Code: $input = $this->input->post('post', TRUE);CodeIgniter User Guide - Security Class CodeIgniter User Guide - Input Class
[eluser]CroNiX[/eluser]
The only one I know of is $this->security->xss_clean(), but that is the exact same thing as cleaning the input going in with xss_clean, so I don't think it would really provide any extra benefit. Beyond that, you'd have to create your own if it is a concern.
[eluser]jakub[/eluser]
[quote author="InsiteFX" date="1328578057"]Never, never, never trust user input! Just use CI's input->post and xss_clean see the TRUE Code: $input = $this->input->post('post', TRUE);CodeIgniter User Guide - Security Class CodeIgniter User Guide - Input Class [/quote] @InsiteFX, I know about Code: $this->input->post()
[eluser]Aken[/eluser]
The most you can do is remove everything that should not be saved to the database. But you should be doing it before it is ever saved, in which case you should never need to do it again. It would just be redundant.
[eluser]theshiftexchange[/eluser]
[quote author="jakub" date="1328592979"] My question is specifically aimed at output WAYYY after being entered into the DB, its strictly from a 'cover all bases' perspective.[/quote] If it got into your DB - then you probably no longer have a DB left to worry out what it might output. And besides, if you cant trust your own DB data - how can you write code to try to determine if your own data is valid - when you have nothing to validate against (being the DB itself)?
[eluser]xerobytez[/eluser]
Generally the only thing you need to worry about with user data that you are echoing is the possibility of executing malicious javascript which can lead to xss (cross site scripting attacks) and cookie theft. I've always defended against these attacks by running all of my user's data to be echo'd through htmlspecialchars() or htmlentities(). Hope this helps |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
