Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Security: inserting in DB
Security: inserting in DB
  • El Forum
    Guest
  •  
#1
10-07-2007, 11:49 AM

[eluser]Référencement Google[/eluser]
Hi,

I would like to know if inserting form posted datas in a Mysql databse using the CI filters is enough or should we use some more mysql_real_escape_string before?

I mean, is this enough to do so?
Code:
$data_to_insert = $this->input->post('myfield', TRUE);
  • El Forum
    Guest
  •  
#2
10-07-2007, 12:30 PM

[eluser]Derek Allard[/eluser]
In general, that's a pretty good first step. To be better of though, you'd validate for things like a maximum length - you'd do stuff like check the datatype (if you're expecting a number, then verify that the data is actually a number).

Essentially, be paranoid. Don't trust your user - use validation and the built in CI protections.
  • El Forum
    Guest
  •  
#3
10-07-2007, 03:53 PM

[eluser]Rick Jolly[/eluser]
[quote author="elitemedia" date="1191797365"]Hi,

I would like to know if inserting form posted datas in a Mysql databse using the CI filters is enough or should we use some more mysql_real_escape_string before?

I mean, is this enough to do so?
Code:
$data_to_insert = $this->input->post('myfield', TRUE);
[/quote]
Well, the xss input cleaning and database escaping are two different things. For example, xss_clean won't escape single quotes. Anyway, if you're using CI active record or query bindings, then the database escaping is done for you.
  • El Forum
    Guest
  •  
#4
10-08-2007, 05:52 AM

[eluser]Référencement Google[/eluser]
Thanks for answers.

So that's the answer to my question Rick, it then not enough to use only CI filters. We should also add a mysql_real_escape_string before inserting if we don't use active record or query bindings (I do not use it for exemple)

I think a filter should be implemented in CI, for exemple a "prepare_for_DB" function wich would do full preparing of inserting form fields in a DB. I will try to look how to implement this.
  • El Forum
    Guest
  •  
#5
10-08-2007, 08:32 AM

[eluser]Crimp[/eluser]
Code:
$this->db->escape();
  • El Forum
    Guest
  •  
#6
10-08-2007, 09:25 AM

[eluser]Derek Allard[/eluser]
Yes. I should be clear that I assumed (I know you should assume) that you'd be using the active record library of CI. If not, then you definately need to manually escape, and Crimp and Rick have nailed that down for you.
  • El Forum
    Guest
  •  
#7
10-08-2007, 12:01 PM

[eluser]Référencement Google[/eluser]
[quote author="Crimp" date="1191871974"]
Code:
$this->db->escape();
[/quote]

Oops, missed this one in the user guide :roll:
Many thanks to every of you.




Theme © iAndrew 2016 - Forum software by © MyBB