• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Cleaning my DB Input?

#1
[eluser]invision[/eluser]
Hi,

I wonder, what are the best practices for DB input?

I currently have a function/method in my Model:

Code:
function createEntry() {

        $data = array('author' => $this->input->post('author'),
            'content' => $this->input->post('comments')
        );
        // xss clean & escape sql
        // insert data
        $this->db->insert('data',$data);

    }

In my Controller I have already validated the value:

Code:
function create()
    {
    $this->load->helper(array('form', 'url'));        
    $this->load->library('form_validation');
        
    $this->form_validation->set_error_delimiters('<div class="error">', '</div>');
                    
    /* Form Validation */            
    $this->form_validation->set_rules('author', 'Author', 'trim|required');
    $this->form_validation->set_rules('comments', 'Comments', 'trim|required');  
    
    #Input and textarea field attributes
    $data["author"] = array('name' => 'author', 'id' => 'author');
    $data['comments'] = array('name' => 'comments', 'id' => 'comments');
        
                
        if ($this->form_validation->run() == FALSE)
        {        
          $this->load->view('add');
        }
        else
        {        
          $this->load->model('Guestbook_model');
          $data['cats'] = $this->Guestbook_model->createEntry();
          $this->load->vars($data);
          $this->load->view('add_success');
        }
    }

But I would like to 1) type check the value and 2) stop any XSS or SQL Injection attacks.

I'm using ActiveRecord and read somewhere I'm covered for SQL Injection, but not XSS. Is this right?


Can anyone show me how to best do this with the code provided.



Many thanks for your help.

#2
[eluser]steelaz[/eluser]
If you're using ActiveRecord, you should be safe against SQL Injection. To check input against XSS, there is prepping function in form validation library - "xss_clean". You can add it as ane regular rule:

Code:
$this->form_validation->set_rules('author', 'Author', 'trim|required|xss_clean');


There are a few other prepping functions - http://ellislab.com/codeigniter/user-gui...greference

You can also set global xss_clean checking for all user input in /config/config.php

#3
[eluser]invision[/eluser]
Brilliant, just what I wanted to hear.

I'm also going to now use this: http://ellislab.com/codeigniter/user-gui...ereference for Type Check functions.


Thanks for all your help.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.