[eluser]Unknown[/eluser]
Yeah, I assumed I would just have to do some checking myself by preg_matching for the usual stuff, backticks and quotes and comment markers. Figured I'd ask to see if there was anything obvious that I was missing; the series of Google searches I was on was starting to look like a wild goose chase.
If my understanding of it so far is correct, I can at least compare
Code:
$this->input->post('variable', TRUE/FALSE)
as a way to check to see if the XSS filter ran into something on that particular item. I guess the nearest cousin on the database side is to compare $posted_str with
Code:
$this->db->escape_str($posted_str)
but I'm not sure that that would be kosher outside of the model context. Plus, it'd only be helpful if it is an input that would normally not contain something that gets escaped, like inputs that should always be only positive integers or alphanumeric strings.
I just want, if at all possible, to avoid hopping outside of the database methods and performing checks that will not work the same if the site is moved to a different database engine (e.g. from MySQL to postgre).
Logging would be a simple matter by comparison...log to a table with the relevant details when the controller gets a positive match, increment a field in the user model (if they're logged in), and add a warning to the view that gets loaded. I would probably have to tweak the sensitivity as I go, since I'll be adding a few things like user profiles to the game.