Sanitize user input from form data (input text)

I am currently running CI3 and would like some help on how I can sanitize user input to prevent 
1. XSS
2. Input such as <script>alert(some malicious code)</script>
3. HTML Injection 
I am using a combination of $this->db->escape_str/$this->db->esscape (Sticks quotes around the input) to save user input and htmlentities when displaying it.
I am able to input <script>alert(some malicious code)</script> and it is not caught or cleaned up by the functions above.

I will appreciate any help.
Hirsi

well there are a few approaches, i'm on CI4 what i've done is create a utility class and use regex, i have played with it and have a few methods.

Without going into deeply i can't guarantee what i write here was my final choice, but looking into my utility class I see :

Code:

protected $scriptPattern= [  '<script>','</script>' ] ;

public function removeScript($input)
    {
    $ridScript= str_ireplace($this->scriptPattern,"",$input);    
    return $ridScript;    
    }
    
  }

So first you have to have a form or other input gathering method to get input ;


Then pass that to controller or other designated class

In my method i get the text entered into a text box from a form via appropriate method and assign the string to a variable called dollar input , i use php
str_ireplace , $this->scriptPattern - will be what to look for and i just substitute "" in its place if found, I assign dollar ridScript variable to result and use that where ever i was going to use original input .


Now for html input, i had to write near foolproof code for a CMS that my daughter would use ; pdf is produced on the fly but for reasons i won't go into I wanted to remove some html tags and leave others. Again this is the ways i've done it :

Code:

$myStringStripTags= strip_tags($mystring, ['p', 'a', 'h4', 'h1','h3','h2']);

if memory serves me correctly, this php function allows yo uto get rode of html tags AND ALSO leave some behind. Now in my blog
I need to allow user to enter paragraph tags

Code:

<p>     </p>

Otherwise on editing a blog if i didn't allow that blog would be unreadable, in the above i also allow h4, h1.h3. h2



SO in summary, write your own class , make sure system can find it ; instantiate it somewhere where you intend to use it , pass data to handle of instantiated class ; and get cleaned stuff back using return in method of class


you will have to check version of php that you are using and whether that version of php has the capability of what i'm alluding to

CMS CI4     I use Arch Linux by the way 

well there are a few approaches, i'm on CI4 what i've done is create a utility class and use regex, i have played with it and have a few  methods.

Without going into deeply i can't guarantee what i write here was my final choice, but looking into my utility class I  see :

Code:

protected $scriptPattern= [  '<script>','</script>' ] ;

public function removeScript($input)
{
$ridScript= str_ireplace($this->scriptPattern,"",$input);
return $ridScript;
}

  }

So first you have to have a form or  other  input gathering method to get input ;


Then pass that to controller or other designated class

In my method i get the text entered into a text box from a form via appropriate method and assign the string to a variable called  dollar input , i use php
str_ireplace  ,  $this->scriptPattern  - will be what to look for and i just substitute ""  in its place if found,  I assign dollar ridScript  variable to result and use that where ever i was going to use original input .


Now for html input, i had  to write near foolproof code for a CMS that my daughter would use ; pdf is produced on the fly  but  for reasons i won't go into I wanted to remove some html tags and leave others. Again this is the ways i've done it :

Code:

$myStringStripTags= strip_tags($mystring, ['p', 'a', 'h4', 'h1','h3','h2']);

if memory serves me correctly, this php function allows yo uto get rode of html tags AND ALSO  leave some behind. Now in my blog
I need to allow user to enter paragraph tags

Code:

<p>    </p>

Otherwise on editing a blog if i didn't allow that blog would be unreadable, in the above i also allow h4, h1.h3. h2



SO in summary, write your own class ,  make sure system can find it ; instantiate it somewhere where you intend to use it , pass data to  handle  of instantiated class ;  and get cleaned stuff back using return in method of class


you will have to check version of php that you are using and whether that version of php has the capability of what i'm alluding to

Captain: Thank you very much. It is awesome when a decent member takes the time to share his knowledge with the rest of us.
It is folks like you who keep us believing in the possibilities of CI. 
AHirsi

You can strip the unwanted tags like Captain said, but you also should escape the output when you display the data.
In CI3 you can use html_escape() and in CI4 you can use esc().

CodeIgniter 4 tutorials (EN/FR) - https://includebeer.com
/*** NO support in private message - Use the forum! ***/

What does "sanitize user input" mean?
It is not clear.

To prevent XSS, only you have to do is escaping meta characters when you output something as HTML.
You can do it with html_escape() or esc() as  includebeer says.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

You can strip the unwanted tags like Captain said, but you also should escape the output when you display the data.
In CI3 you can use html_escape() and in CI4 you can use esc().

Thank you includebeer.

i've had problems with using esc() on CI4 to do with a CMS system, where the admin of the web app , is editing an already posted blog , and the content is stored in fields of an Sqlite database, its to do with the rendering ; it didn't work for me probably my fault rather than esc() . when i get time I will try and re-create the problem and take a snapshot.


From memory if a user enters <p> </p> into the content , then i want that rendered, which it didn't seem to do with tags and use of esc().
As i say probably an error on my part.

CMS CI4     I use Arch Linux by the way 

From memory if a user enters <p>  </p> into the content , then i want that rendered, which it didn't seem to do with tags and use of esc().
As i say probably an error on my part.

If you want users to use HTML tags (as HTML tags), you can't simply use `esc()`.
So it is not your error.

In that case, you have to check the user input, and remove all tags that you don't want to use.
It is very difficult thing. I recommend you use a library to parse HTML and make it clean
like http://htmlpurifier.org/

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

i've had problems with using esc()  on CI4 to do with  a CMS system,  where the admin of the web app ,  is editing an already posted blog , and the content is stored in fields of an Sqlite database, its to do with the rendering ;  it didn't work for me probably my fault rather than esc() .  when i get time I will try and re-create the problem and take a snapshot.


From memory if a user enters <p>  </p> into the content , then i want that rendered, which it didn't seem to do with tags and use of esc().
As i say probably an error on my part.

Not an error on your part. I don't think you can use esc() and still render some html. It will just output the html code as plain text. I solved this problem by using markdown code and a library to convert markdown to html.

CodeIgniter 4 tutorials (EN/FR) - https://includebeer.com
/*** NO support in private message - Use the forum! ***/