Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Form Input Security Question
Form Input Security Question
  • El Forum
    Guest
  •  
#1
10-17-2010, 02:08 AM

[eluser]TerryT[/eluser]
New to CI. Have read in a number of websites conflicting advice on how to deal with form input using CI. Appreciate some guidance. I am obtaining user data from a form and validating it like:

$this>form_validation>set_rules('project','Project','trim|required|min_length[5]|max_length[12]|xss_clean');

The user data will both be inserted into a database using Active Record as shown below and it will also be retrieved and printed in a table on a web page:

$this->db->insert('projects', $data);

Are there any other precautions I need to take for good coding practice? htmlspecialchars()? urlencode()? Thanks.

Terry
  • El Forum
    Guest
  •  
#2
10-17-2010, 02:36 AM

[eluser]Bart v B[/eluser]
What is always do is automatic use XSS clean.
In your /config/config.php arround line number:266
Code:
<?php
$config['global_xss_filtering'] = TRUE; // by default this is FALSE

Take a look in the manual of what kind of validation options you have Wink
http://ellislab.com/codeigniter/user-gui...ereference
And scroll a little lower to see Prepping Reference
  • El Forum
    Guest
  •  
#3
10-17-2010, 04:51 AM

[eluser]umefarooq[/eluser]
if you are not enabling that then while getting you data from post array you can clean your data with CI input class

Code:
$this->input->post('field_name',TRUE);

$this->input->get('field_name',TRUE);

$this->input->get_post('field_name',TRUE);

this will also do xss_clean

check user guide also
http://ellislab.com/codeigniter/user-gui...input.html
  • El Forum
    Guest
  •  
#4
10-17-2010, 05:09 AM

[eluser]TerryT[/eluser]
Thanks for the responses. This handles XSS. Any other requirements for good practice? This post:

http://ponderwell.net/2010/08/codeignite...by-itself/

says I should also use urlencode or htmlentities because:

"So, from the above tests, we can see that (1) CodeIgniter misses Javascript events when not within a HTML tag, (2) does not always strip the actual Javascript code, and (3) it only strips the attributes from normal HTML tags (i.e. IMG) it finds."

Any other issues? What about CRSF?

Terry
  • El Forum
    Guest
  •  
#5
10-17-2010, 06:21 AM

[eluser]WanWizard[/eluser]
CRSF protection is present in CI 2.0 (although very rudimentary).

Validation of input depends on what you intent to do with it. Sometimes it's a good thing html or javascript survives.
XSS does exactly what it says on the box, it strips enough to disable XSS attacks. It doesn't claim to do more. If you want that, add the required validation functions to MY_Form_validation.




Theme © iAndrew 2016 - Forum software by © MyBB