Good practice for xss_clean and escape string

[eluser]esset[/eluser]
I got a general Q about CI and good code practice with security.

Do you guys run XSS_cleaning on all your POST variables for inserting to the database?

Also do you always escape your strings when performing querys?


If not, whats your suggestion/ or rules for doing so. Is there any good guidelines when these to security meassures should be taken into consideration?

Thanks

[eluser]rogierb[/eluser]
Yes and yes. :-)

I set $config['global_xss_filtering'] = TRUE;
And only try to use AR so it gets escaped automatically. If I use a normal sql query, I escape everything.

On inserts and updates I cast variables aswell.

Code:

$insert['some_int'] = (int) $this->input->post('some_id');
$insert['some_string'] = (string) $this->input->post('some_string');

[eluser]esset[/eluser]
Thank you sir!

[eluser]Random dude[/eluser]
Casting, thats a very interesting one.

I suppose the db function with throw an error if the type doesn't cast properly.

Speaking of, does CI have an mechanism for handling exceptions? or should I study up more on my php? (I am in the process of doing this).

[eluser]ururk[/eluser]
I've found that in a few instances AR doesn't properly detect the type of value, and doesn't put ticks around a string - as an example, importing XML into a DB record (simplexml_load_string), I loop through the loaded XML:

$title = $xml->title;

when inserting, $title, AR didn't put single-quotes around the string, and the query was invalid.

This worked:

$title = (string) $xml->title;


YMMV, could have been my server.