SQL Injection handling in Code Igniter

[eluser]ReSTe[/eluser]
Good Morning,

i'm a student @ Politecnico in Milan - Computer Science... i need to know for my 3rd year thesis project (i'll have discussion the 3rd of March ) how Codeigniter handles sql injection attacks. I know that if you use Active Records you'll be secure from sql injection attacks... but what i want to know (if possible) is How active records can prevent these attacks. I answer that because i know also how CI handles XSS attacks (i read the guide) but there weren't infos about sql injections attacks...

thank you very much guys...

greetings from Italy...

Matteo.


PS: Maximum support to this framework, it's fantastic

[eluser]uniacid[/eluser]
Hello, CI supports XSS filtering, if you read the user_guide completely you should have seen it talked about:

XSS Filtering

CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since you may not need it in all cases.

The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.

Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.

To filter data through the XSS filter use this function:
$this->input->xss_clean()

Here is an usage example:
$data = $this->input->xss_clean($data);

If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this:
$config['global_xss_filtering'] = TRUE;

Note: If you use the form validation class, it gives you the option of XSS filtering as well.

So you see you can have CI automatically filter all input in your config or apply the xss filter manually while doing validation on your input fields.

[eluser]ReSTe[/eluser]
yeah i know that and i've used XSS filtering in my web application. But also on the forum i read that i will prevent sql injection attacks with Active Records...

so are you telling me that sql injection attacks are also prevented by Xss filtering? So if i put automatic Xss-filtering i will prevent sql injections attacks also if i'll not use Active Records?


thank you for the reply

[eluser]Pascal Kriete[/eluser]
No, there are two functions that you can use escape and escape_str. Can be found here.

[eluser]uniacid[/eluser]
Bueno, maybe this will help with your sql injection question, CI handles all active records automatically escaping for you (assuming you're using the active record class).

But you can escape manually like so also:

Escaping Queries

It's a very good security practice to escape your data before submitting it into your database. CodeIgniter has two functions that help you do this:

1. $this->db->escape() This function determines the data type so that it can escape only string data. It also automatically adds single quotes around the data so you don't have to: $sql = "INSERT INTO table (title) VALUES(".$this->db->escape($title).")";
2. $this->db->escape_str() This function escapes the data passed to it, regardless of type. Most of the time you'll use the above function rather then this one. Use the function like this: $sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";

[eluser]ReSTe[/eluser]
ok i understood.

but how escape /escapestr/active records can prevent sql injections? Simply searching possible "attack-queries" analyzing input data?


thank you!

[eluser]xwero[/eluser]
if you look at the Running Queries page of the user guide you see there are two methods for escaping input. You can find escape_str back in every database/drivers/*/*_driver file around line 246. If you look at the if else branch of the mysql_driver there are three native php you can use to escape input mysql_real_escape_string, mysql_escape_string and addslashes.

Addslashes is the most invasive function because it places slashes where ever a meta-character (single quote, double quote and backward slash) is found. If you are not careful you end up with a string like : it\\\\\\'s me.

Mysql_real_escape_string and mysql_escape_string are the smarter functions. mysql_escape_string is deprecated from 4.3.0 but it's still in for people that run lower versions. The mysql_real_escape_string takes the connection id as an argument to escape the string using the character set of the database.

If you do a search for the escape methods your find them back in the AR class.

[eluser]Negligence[/eluser]
While on this topic, it would be nice to enforce (in the future) CI to use prepared statements and bindings, instead of using mysql_real_escape_string() (for MySQL) to handle injection concerns for all databases.

[eluser]adaxa[/eluser]
So, what is the conclusion ?
If I use active records i`m safe against sql injections ?

[eluser]Molchy[/eluser]
Hi,

I am creating my own cms system and found xss filtering as good codeigniter security.

My question is:
- I enable in config TRUE

Then it automaticly detect eny post or get and filter it out ? But i don't use form helper so does it detect normal $_POST['some_data] ...

Tnx