Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Do I really need to sanitize input from URL?
Do I really need to sanitize input from URL?
  • El Forum
    Guest
  •  
#1
09-06-2013, 07:15 PM

[eluser]wildgoatcheese[/eluser]
Hi,

I am writing SQL queries in CodeIgniter that use variables from URL. So, example:

URL/page/id

Code:
SELECT *
FROM table
WHERE id=$id

As a test I put a ' escape character in my URL and CodeIgniter gives message "The URI you submitted has disallowed characters.".

So I am wondering, do I really need to escape these variables? CodeIgniter seems to be handling this already. Thank you.
  • El Forum
    Guest
  •  
#2
09-06-2013, 09:07 PM

[eluser]PravinS[/eluser]
for security reasons codeigniter have disallowed some characters, check the config.php file with this option

Code:
$config['permitted_uri_chars']

you can append the character which is required for you


  • El Forum
    Guest
  •  
#3
09-07-2013, 09:25 AM

[eluser]wildgoatcheese[/eluser]
Actually, I prefer if CodeIgniter disallows these character. I am wondering if I need if I still need to escape the variables in the SQL query with $this->db->escape($id) since CodeIgniter is already forbidding harmful characters from passing through the URL.

Thanks.
  • El Forum
    Guest
  •  
#4
09-07-2013, 09:45 AM

[eluser]CroNiX[/eluser]
If you use Active Record, they get escaped going in.
  • El Forum
    Guest
  •  
#5
09-07-2013, 05:06 PM

[eluser]wildgoatcheese[/eluser]
I'm writing straight SQL requires with $query = $this->db->query(' SELECT ...'). It seems I don't need to escape variables since apostrophes can't pass through URLs. Not sure if there is a way for a hacker to circumvent it.
  • El Forum
    Guest
  •  
#6
09-07-2013, 06:18 PM

[eluser]CroNiX[/eluser]
If you're not using active record, you should manually escape all input.
  • El Forum
    Guest
  •  
#7
09-08-2013, 04:50 AM

[eluser]soupli[/eluser]
Read up on this article.. maybe it helps you with making such decisions in the future.

http://web.securityinnovation.com/appsec...-Malicious
  • El Forum
    Guest
  •  
#8
09-11-2013, 05:13 AM

[eluser]jonez[/eluser]
[quote author="wildgoatcheese" date="1378598800"]I'm writing straight SQL requires with $query = $this->db->query(' SELECT ...'). It seems I don't need to escape variables since apostrophes can't pass through URLs. Not sure if there is a way for a hacker to circumvent it. [/quote]
Using straight SQL without escaping input is a really bad idea. Typically when someone tries an SQL injection they will submit special strings through forms, such as a login or search form. Apostrophes can pass through URL's, when someone submits a form with name="D'ni" it is encoded as part of the URL, then decoded by CI so putting a ' in the URL bar doesn't simulate an injection attempt.

If you don't sanitize your input, eventually a bot will find you. When it does, your only option will be to take down your site and manually fix every single DB query that is not escaped.

CI makes parametrized queries easy- even if you don't want to use Active Record or an ORM.

Here's an example:
Code:
$sql = "
SELECT
  c.*,
  s.name AS state_name,
  cs.name AS country_name
FROM
  clients c
  LEFT JOIN states s ON c.state_id = s.id
  LEFT JOIN countries cs ON c.country_id = cs.id
WHERE
  c.id = ?
";

$query = $this->db->query( $sql, array( $client_id ) )->row_array( );
return $query;




Theme © iAndrew 2016 - Forum software by © MyBB