How to use CSRF & XSS ? |
For security i want to use CSRF / XSS
What i have tried, CSRF, 1. Enabled $config['csrf_protection'] = TRUE; in autoload.php 2. used <?php echo form_open(base_url().'admin'); ?> ~ which will use CSRF when we use form_open @csrf if anything missing point it out XSS, 1. $autoload['helper'] = array('url','file','form','html','active_class','security'); ~ not sure this method is right 2. Added $this->load->helper('security'); at function __construct() AND for inserting data with xss_clean i used the following, $form_data = array( 'category_name' => $this->security->xss_clean($_POST['category_name']), 'category_image' => $this->security->xss_clean($final_name), 'category_description' => $this->security->xss_clean($_POST['category_description']), 'parent_category' => $this->security->xss_clean($_POST['parent_category']), 'is_featured' => $this->security->xss_clean($_POST['is_featured']), 'status' => $this->security->xss_clean($_POST['status']) ); -- if anything missing let me know guys.
Hi, You are on the right track with CSRF. However, xss_clean should not be used, you should use the validation filter for input and use html_escape on output.
https://codeigniter.com/user_guide/insta...ation-rule (03-21-2020, 04:26 AM)jreklund Wrote: Hi, You are on the right track with CSRF. However, xss_clean should not be used, you should use the validation filter for input and use html_escape on output. Have used form_validation like this, $this->form_validation->set_rules('category_name', 'Category Name', 'trim|required'); //$this->form_validation->set_rules('category_image', 'Category Image', 'trim|required'); $this->form_validation->set_rules('is_featured', 'Featured', 'trim|required'); $this->form_validation->set_rules('status', 'Status', 'trim|required');
Okey, for e.g. status, are that a checkbox? With just a number? If so apply integer/numeric, so that people can't submit any other value than you expect. You should only accept the value that you need and turn down everything else.
Therefor they can't add for example JavaScript code. https://codeigniter.com/user_guide/libra...-reference (03-21-2020, 08:03 AM)jreklund Wrote: Okey, for e.g. status, are that a checkbox? With just a number? If so apply integer/numeric, so that people can't submit any other value than you expect. You should only accept the value that you need and turn down everything else. status is select option ~ enable / disable |
Welcome Guest, Not a member yet? Register Sign In |