[eluser]Rick Jolly[/eluser]
[quote author="walesmd" date="1187868712"]The vulnerability comes into play when someone injects a variable that
is in the database but not in your form.
An example that was previously given on this forum (can't find the thread atm):
If you are updating a record's image and location field via a form, and that table also has a permissions field - the malicious user could inject 'permissions'='admin' and gain administrative privileges to your site.
[/quote]
Good point and I should watch for those cases.
[quote author="walesmd" date="1187868712"]
Always strictly define the input variables via one of these (which all equate to the same value):
Code:
$this->input->post('var');
$this->validation->var;
$_POST['var'];
[/quote]
Always is a strong word. As you mentioned, there is only a vulnerability when a user injects a variable that is in the database but isn't in the form. But when in doubt, the database fields should be defined.
Solution
I think this is a simple safe solution that saves typing:
Code:
// set the validation fields
$fields['address'] = "Address";
$fields['price'] = "Price";
$fields = array_keys($fields);
// OR:
// $this->validation->set_fields($fields);
// $fields = array_keys($this->validation->_fields);
$insert_data = get_db_data($fields, $_POST);
$this->db->insert('mytable', $insert_data);
function get_db_data($array_fields, $array_post)
{
$data = array();
foreach ($array_fields as $field)
{
$data[$field] = $array_post[$field];
}
return $data;
}