can I directly use variables from URI?

#1
[eluser]basementDUDE[/eluser]
Is it safe to use the variables from URI directly? I have used the active record class in my model, so I don't need to worry database injection attack right? any security issue with my code? any advise will be really appreciated.

Code:
function showItem($id)
{
//load model... then call model function

$this->item_model->get_item($id);

//load views...
}


in the item_model class

Code:
function get_item($id){

$this->db->where('items.id', $id);

$result = $this->db->get('items');


return $result->result_array();
}

#2
[eluser]kkristo[/eluser]
You can check from controller:

function showItem($id){
if ( $this->item_model->checkvalidID() == false){
$this->output->set_status_header(400);
}else{
// getdata
}
}

#3
[eluser]pickupman[/eluser]
You should be using typecasting
Code:
function get_item($id){

$this->db->where('items.id', (int)$id);

$result = $this->db->get('items');


return $result->result_array();
}

#4
[eluser]basementDUDE[/eluser]
thanks for the reply guys.

I read the documentation, it suggest that we need to filter data before use it.

Filter the data as if it were tainted.(Is that any build in function or class I can use to filter URI data, such as the forum validation class.)

#5
[eluser]pickupman[/eluser]
Using the active record (default) for your DB access will be helpful, as it will provide safer queries. Try and use typecasting whenever possible.

#6
[eluser]basementDUDE[/eluser]
I am using active record for DB access, what I don't know is how to filer URI data in controller.
[quote author="pickupman" date="1284444484"]Using the active record (default) for your DB access will be helpful, as it will provide safer queries. Try and use typecasting whenever possible.[/quote]

#7
[eluser]LinkFox[/eluser]
You can use PHP's is_numeric if your sure it's a number...

if(is_numeric($id)) {
// Do stuff
} else {
// Show user an error message
}

I prefer this over casting because then the rubbish data never even touches the db code.

Or what I do sometimes if there are a limited number of options is run them through a switch statement.

switch($uriQuery) {
case "option1":
$uriQuery = "Opt1";
break;
case "option2":
$uriQuery = "Opt2";
break;
default:
$uriQuery = "Opt1";
break;
}

This ensures no one can inject rubbishy data into your query and also allows yu to put more SEO friendly tags in your URI.

Also I never really use 'IDs' for getting records...this leads to all kinds of security issues if you're getting sensitive information. I normally create a unique ref with PHP's uniqid then hash it and put that in my DB then look up by that. Much harder for someone to guess an ID this way rather than a standard auto increment and if you also do a permission check that the user is allowed to access the content you're quite secure.

Cheers.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.