Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Controller to Model - Security concerns.
Controller to Model - Security concerns.
  • El Forum
    Guest
  •  
#1
11-19-2009, 12:46 PM

[eluser]merrick.christensen[/eluser]
Hey guys, I'm new to Code Igniter and am loving every second of it. Just have a small security concern. That I'm sure I just don't understand.

In all of the demos, documentation, and sample applications I've noticed all the validation and data prepping is done in the controller. This seems fitting to the MVC concept. What I don't understand is in the actual Model. When the validation and prepping has passed you call the Model function and that would be something like:

Code:
function addUser()
{
       $user = array(
               'first_name' => $this->input->post('first_name'),
               'last_name' => $this->input->post('last_name')
       );
      
       $insertQuery = $this->db->insert('users', $user);
       return $insertQuery;
}

Nothing but inserting the post data. When accessing the post array at this point has CodeIgniter already prepped and validated it? What is to stop some one from posting directly to your Model? Skipping validation and prepping all together?

Any help is greatly appreciated, thanks!

Merrick
  • El Forum
    Guest
  •  
#2
11-19-2009, 01:28 PM

[eluser]Ben Edmunds[/eluser]
Hey Merrick,

Someone cannot post directly to your model because you are calling the model through the controller. The model is not available to be called through a url or post.

It is also recommended to clean/verify sensitive data in the model, but that also depends on if you are using it in multiple locations or for multiple purposes.
  • El Forum
    Guest
  •  
#3
11-19-2009, 02:41 PM

[eluser]merrick.christensen[/eluser]
Wow, ok thanks! It seams I can access it through the URL if I go though the necessary file structure should I just be adding if ( ! defined('BASEPATH')) exit('No direct script access allowed'); above all models and controllers?
  • El Forum
    Guest
  •  
#4
11-19-2009, 02:46 PM

[eluser]merrick.christensen[/eluser]
That being said accessing the file or a view or anything returns a blank screen does this mean I wouldn't need:

if ( ! defined(‘BASEPATH’)) exit(‘No direct script access allowed’);

I guess what I'm asking is when a person posts to the URL directly does it accept it as php or return a blank screen to the parser as well?
  • El Forum
    Guest
  •  
#5
11-20-2009, 08:08 AM

[eluser]Ben Edmunds[/eluser]
If they posted POST data to it I believe it would process it but the BASEPATH check will stop that.

Also are you using an htaccess file? If you are using htaccess you shouldn't be able to navigate to the model.




Theme © iAndrew 2016 - Forum software by © MyBB