Welcome Guest, Not a member yet? Register   Sign In
Security issue
#1

[eluser]nebulom[/eluser]
I'm updating code and pass some values with single quote. Code in the model is like
Code:
function updateDiscussion($id) {
        $data = array(
            'COMMENTS' => $this->input->post('comments'),
            'LAST_UPDATE_BY' => $this->session->userdata('username')
        );
        $this->db->set('LAST_UPDATE_DATE', 'sysdate', false);
        $this->db->update('EES_BPC_DISC', $data, array('ID' => $id));
    }
but doesn't escape automatically. Do I have to manually 'COMMENTS' => $this->db->escape($this->input->post('comments'))?

But when I do that, it still can't escape correctly. It returns like
Quote:UPDATE "EES_BPC_DISC" SET "LAST_UPDATE_DATE" = sysdate, "COMMENTS" = ''So if i put automatic Xss-filtering i will prevent sql ... It's a very good security practice to escape your data before submitting it into your database. ... to escape the string using the character set of the database. ...'', "LAST_UPDATE_BY" = 'EES_ADMIN' WHERE "ID" = '1'
Why 2 single quotes? It should be in the "It's" that has 2 single quotes. Any clarification? I'm a bit lost here. Thanks.
#2

[eluser]Colin Williams[/eluser]
It's probably not a single quote, but a non-encoded single quote entity (’ or ‘, just not ecsaped)

You might encounter this if you are pasting from a word processor
#3

[eluser]nebulom[/eluser]
I don't know. I tried typing "hello' world" and it still fires the error. Here's without the escape
Quote:UPDATE "EES_BPC_DISC" SET "LAST_UPDATE_DATE" = sysdate, "COMMENTS" = 'hello' world', "LAST_UPDATE_BY" = 'EES_ADMIN' WHERE "ID" = '1'
and with
Code:
$data = array(
            'COMMENTS' => $this->db->escape($this->input->post('comments')),
            'LAST_UPDATE_BY' => $this->session->userdata('username')
        );
Quote:UPDATE "EES_BPC_DISC" SET "LAST_UPDATE_DATE" = sysdate, "COMMENTS" = ''hello' world'', "LAST_UPDATE_BY" = 'EES_ADMIN' WHERE "ID" = '1'
I'm with oci8. Does that count? Thanks.
#4

[eluser]nebulom[/eluser]
I think it's with the oci8 driver. Tried testing it with MySQL and it works fine. I'm with CodeIgniter 1.7.1. Anyone knows what's going on? Thanks.
#5

[eluser]nebulom[/eluser]
I've added the
Code:
// escape single quotes and double quotes
           $str = str_replace("'", "''", $str);
after the
Code:
function escape_str($str, $like = FALSE)
    {
        if (is_array($str))
        { ...
in oci8 driver and it works. Hopefully this solves it. Anyone has a better idea? Thanks a lot.




Theme © iAndrew 2016 - Forum software by © MyBB