| I hesitate to post this... |
[eluser]Jesse Schutt[/eluser]
I hesitate to post this because I am such an absolute newb to php and codeigniter. I am building an app that will (hopefully) allow users to purchase tickets to an event. We need to collect the basics, (name, address, phone, email, etc) as well as let them specify the number of tickets they would like to purchase. At that point I would like to transfer the user to Paypal to complete the payment. My first question is this - Can you please help me use the xss clean function to make sure this is as secure as possible? Thanks Much Jesse PS - I can post the code I have so far, if it would help.
[eluser]John Fuller[/eluser]
There are a bunch of ways to do this. Probably the most simple way is to do this... Code: $this->input->post('some_data', TRUE);This would grab your post info and the TRUE parameter tells the system to clean. Read here for more info. This is pretty basic as you mentioned, which is fine. However, you need to read through the docs thoroughly if you are to be successful with CI.
[eluser]Jesse Schutt[/eluser]
Thanks much for the response. Quote:However, you need to read through the docs thoroughly if you are to be successful with CI. Like I said, I am totally new to CI and to PHP, so I am still trying to glean enough information to even understand what I am reading in the docs.
[eluser]John Fuller[/eluser]
Absolutely, but I would still look through every page in the docs just to get a basic overview. I am still a noob myself. It helps tremendously to know what is already there. How many times have you cursed yourself thinking about how to do something with EE when you see that it is a simple feature already provided.  Just sayin... if you don't know about the XSS filtering then you probably wasted time (that you have little of) wondering about it when it is within easy reach in the docs. So reading through all the docs will help you get that app pushed out faster.
[eluser]Michael Wales[/eluser]
The absolute most simple way is to just turn on global XSS filtering within config.php. I do it on all of my applications and it works like a charm. The overhead is minimal, virtually the same as if you manually added xss_clean to all of your input fields.
[eluser]Edemilson Lima[/eluser]
Does this automatic XSS Clean look into the $_POST array to see if something was posted or not? Because it could only do the clean in the $_POST array if is something on it, there is no need to manually clean each field in your application. The framework will do this for you nicely and I am sure will not have any perceived overhead. As you said the overhead is minimal, I think that is the way it works.
[eluser]Nanodeath[/eluser]
This brings up an interesting question I have. So I escape any and all data I put into the database that comes from the user/form/get/post, but what needs to be XSS cleaned? Anything that the user submits that may get outputted directly to a page somewhere? Or something else?
[eluser]Edemilson Lima[/eluser]
The XSS filter may not block every attack, so is very recommended that you escape everything that came from $_GET, $_POST or $_COOKIE and quote all data that you put into your queries, because most of the attacks come from adding extra fields to the query string. For example: Code: select * from users where id=$_POST[user_login] and password='$_POST[user_pass]'If you don't quote this and the $_POST[user_login] sent by the user is "mylogin or 1", your query will accept any login as valid. But it will be worst if you don't quote the $_POST[user_pass]. In this case "mypass or 1" will accept any password. Well, this is a simple example. The attack can be much more elaborated and depending of the account permissions, be able to change the server password... |
| Welcome Guest, Not a member yet? Register Sign In |
