Welcome Guest, Not a member yet? Register   Sign In
is this stamenet true or false: if I use $this->form_validation->set_rules then I don't need to sanitise the input?
#1

[eluser]andychurchill[/eluser]
If I have this in my validation rules:

Code:
$this->form_validation->set_rules('username', 'username', 'trim|strip_tags|required|min_length[5]|max_length[12]|xss_clean');
$this->form_validation->set_rules('password', 'password', 'trim|strip_tags|required|min_length]5]|max_length{12]|callback_checkUsernameAndPasswordExists');

and then the callback function does this:

Code:
$username = $this->input->post('username');
$password = $this->input->post('password');

Am I right in thinking this is safe?

I guess I might also want to add a regular expression to the form validation to ensure alpha numeric, particularly when on the registration form, but the main thing was that I wanted to confirm that if it gets past that form validation, then the value of the input post vars can be presumed safe?

In addition, active record query would then escape it, so I think that covers it?


#2

[eluser]InsiteFX[/eluser]
No! you still should use the xss_clean
Code:
$username = $this->input->post('username', TRUE);
$password = $this->input->post('password', TRUE);
#3

[eluser]andychurchill[/eluser]
Actually I see your point, but surely then I have to re-do the trim, strip_tags, etc on the form elements as well, because set_rules doesn't any apply the trim | strip_tags stuff to the actual form array, so you still need to actually trim and strip_tags before you use the input?

I thought there might be a better way.
#4

[eluser]andychurchill[/eluser]
Thinking about this a bit more, I think I understand where I'm going wrong. If I add additional validation at the point of set_rules to ensure the user hasn't tried to enter html in the username field, I can be confident that the input->post step will have valid data, so I don't nee to re-apply the strip tags?

I just can't find a good example of a simple but secure registration form, done right, in codeigniter.
#5

[eluser]InsiteFX[/eluser]
Very Simple! NEVER NEVER NEVER trust user input!
#6

[eluser]andychurchill[/eluser]
I don't trust it, hence my concern. My issue is more related to DRY: I don't want to repeat the same xss_clean/trim/strip_tags process twice, and assumed if I'd performed it at validation, I don't then need to sanitise the input again. It seems the guy in this thread had a similar belief: http://ellislab.com/forums/viewthread/201355/

And from what I can tell, it hinges on whether $this->input->post contains the post validation processed inputs. I get the feeling from that thread that it is possible, if you create a callback function to return a processed result, e.g. having already run trim|strip_tags and xss_clean on the input.

At that point, assuming that input->post now has a processed value, I don't need to do any further processing on the form element, but this is where I can't quite find any documentation that says this to be the case.
#7

[eluser]Mauricio de Abreu Antunes[/eluser]
I guess these XSS functions have different behaviors.
#8

[eluser]InsiteFX[/eluser]
If you want to see what is going on look at the CodeIgniter Classes!
#9

[eluser]Refringe[/eluser]
I've wondered this in the past, so I did a little testing to find out exactly what's going on.

It turns out the post-validated value is only available in a callback if you pass the value to the callback as a parameter. If you try to access post data in a callback using the input class you will only retrieve pre-validated data.

However, once the validation has passed, the post-validated values are pushed back to the $_POST, so you can access them using the input class.

This, of course, sucks when you want to validate two inputs using one callback; like a login form, but then again, you're not storing any information using a login form, so it shouldn't matter. What you should be doing is taking the username and password as raw input and trying to select a match from your users table (using the Active Record Class). If there's no match, there's no login. You're not going to be storing or writing the username or password through a login callback, so this is all very unnecessary because even if there is an XSS exploit it's just going to be discarded.

Below is my test code and my results.

CONTROLLER:
Code:
public function index()
{
    $this->load->library('form_validation');
    $this->form_validation->set_rules('to_upper', 'to_upper', 'trim|required|strtoupper');
    $this->form_validation->set_rules('to_lower', 'to_lower', 'trim|required|strtolower|callback__cbtest');
    
    if ($this->form_validation->run() == FALSE)
    {
        $this->load->view('testing');
    }
    
    else
    {
        echo "After Validation - Should be uppercase:<br />";
        var_dump($this->input->post('to_upper'));
        
        echo "After Validation - Should be lowercase:<br />";
        var_dump($this->input->post('to_lower'));
        
        exit;
    }
}

public function _cbtest($to_lower)
{
    echo "Callback - Input Class - Should be uppercase:<br />";
    var_dump($this->input->post('to_upper'));
    
    echo "Callback - Input Class - Should be lowercase:<br />";
    var_dump($this->input->post('to_lower'));
    
    echo "Callback - Parameter - Should be lowercase:<br />";
    var_dump($to_lower);
    
    return true;
}

VIEW:
Code:
&lt;?php echo form_open('testing'); ?&gt;
    &lt;input type="text" name="to_upper" id="to_upper" value="Refringe" /&gt;
    &lt;input type="text" name="to_lower" id="to_lower" value="Refringe" /&gt;
    &lt;input type="submit" value="submit" /&gt;
&lt;/form&gt;

RESULT:
Code:
Callback - Input Class - Should be uppercase:
string 'Refringe' (length=8)

Callback - Input Class - Should be lowercase:
string 'Refringe' (length=8)

Callback - Parameter - Should be lowercase:
string 'refringe' (length=8)

After Validation - Should be uppercase:
string 'REFRINGE' (length=8)

After Validation - Should be lowercase:
string 'refringe' (length=8)




Theme © iAndrew 2016 - Forum software by © MyBB