Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Cleaning my DB Input?
Cleaning my DB Input?
  • El Forum
    Guest
  •  
#1
04-27-2010, 03:09 AM

[eluser]invision[/eluser]
Hi,

I wonder, what are the best practices for DB input?

I currently have a function/method in my Model:

Code:
function createEntry() {

        $data = array('author' => $this->input->post('author'),
            'content' => $this->input->post('comments')
        );
        // xss clean & escape sql
        // insert data
        $this->db->insert('data',$data);

    }

In my Controller I have already validated the value:

Code:
function create()
    {
    $this->load->helper(array('form', 'url'));        
    $this->load->library('form_validation');
        
    $this->form_validation->set_error_delimiters('<div class="error">', '</div>');
                    
    /* Form Validation */            
    $this->form_validation->set_rules('author', 'Author', 'trim|required');
    $this->form_validation->set_rules('comments', 'Comments', 'trim|required');  
    
    #Input and textarea field attributes
    $data["author"] = array('name' => 'author', 'id' => 'author');
    $data['comments'] = array('name' => 'comments', 'id' => 'comments');
        
                
        if ($this->form_validation->run() == FALSE)
        {        
          $this->load->view('add');
        }
        else
        {        
          $this->load->model('Guestbook_model');
          $data['cats'] = $this->Guestbook_model->createEntry();
          $this->load->vars($data);
          $this->load->view('add_success');
        }
    }

But I would like to 1) type check the value and 2) stop any XSS or SQL Injection attacks.

I'm using ActiveRecord and read somewhere I'm covered for SQL Injection, but not XSS. Is this right?


Can anyone show me how to best do this with the code provided.



Many thanks for your help.
  • El Forum
    Guest
  •  
#2
04-27-2010, 03:30 AM

[eluser]steelaz[/eluser]
If you're using ActiveRecord, you should be safe against SQL Injection. To check input against XSS, there is prepping function in form validation library - "xss_clean". You can add it as ane regular rule:

Code:
$this->form_validation->set_rules('author', 'Author', 'trim|required|xss_clean');


There are a few other prepping functions - http://ellislab.com/codeigniter/user-gui...greference

You can also set global xss_clean checking for all user input in /config/config.php
  • El Forum
    Guest
  •  
#3
04-27-2010, 03:31 AM

[eluser]invision[/eluser]
Brilliant, just what I wanted to hear.

I'm also going to now use this: http://ellislab.com/codeigniter/user-gui...ereference for Type Check functions.


Thanks for all your help.




Theme © iAndrew 2016 - Forum software by © MyBB