Can a URI var ever be malicious?

[eluser]theshiftexchange[/eluser]
Hi guys,

Given the following code:

Code:

//create a new user
function register($plan = false)
{
  
  // Check the plan they have picked is valid, or default to the first plan
  $this->load->model('pricing_plan');
  if (( ! $plan) || ($this->pricing_plan->count_by('name', $plan) === 0))
  {
   $plan = $this->pricing_plan->get_all();
   $plan = $plan['0']->name;
  }

Because I pass "$plan" to the model without validation - can anything malicious ever be passed? i.e. sql injection? or javascript?

I use active record on the model.

[eluser]luismartin[/eluser]
You are preventing from SQL injections by using CI's active record, but not from XSS attacks (javascript).
To do so, you can perform different steps:

- To set the XSS filtering config variable to TRUE: $config['global_xss_filtering'] = TRUE;

- To set to TRUE the second parameter of the post() and get() methods of Input class:
$clean_data = $this->input->post('myfield', true);

- To use the xss_clean method of Security class:
$clean_data = $this->security->xss_clean($data);

[eluser]theshiftexchange[/eluser]
[quote author="luismartin" date="1334870019"]You are preventing from SQL injections by using CI's active record, but not from XSS attacks (javascript).
To do so, you can perform different steps:

- To set the XSS filtering config variable to TRUE: $config['global_xss_filtering'] = TRUE;

- To set to TRUE the second parameter of the post() and get() methods of Input class:
$clean_data = $this->input->post('myfield', true);

- To use the xss_clean method of Security class:
$clean_data = $this->security->xss_clean($data);[/quote]

Thanks - but if I am using the default CI URI chars - can a XSS attack occur with only those chars?

Code:

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

[eluser]luismartin[/eluser]
Yes, it would be possible through POST.

[eluser]theshiftexchange[/eluser]
[quote author="luismartin" date="1334901729"]Yes, it would be possible through POST.[/quote]

But in my example above I am not looking at any POST - just the passed var $plan, which comes through the URI?

[eluser]luismartin[/eluser]
In that case I'm not sure at 100%.

Well, in case you (for some reason) urldecode some data from the URL which are url encoded (so that it passes the CI URI filter) you might get the malicious script as it is.

Example:

Code:

<scri*pt>alert('hello')</scri*pt>

to

Code:

#3cscript#3ealert(#27hello#27)#3c#2fscript#3e

(replacing # with % and removing the asterisks , as the forum filter censors any script tag)

But I'm not absolutely sure of this behaviour.

[eluser]skunkbad[/eluser]
Chances are that you would be safe, but there's more to consider based on if $plan gets inserted into the HTML in the view. If $plan is a integer, typecast it as (int). If $plan is one of a series of strings, you could easily check that the value exists in an array using PHP's in_array() function. Active Record is good, so chances are you're not going to have any SQL injection, but like I said, if the value of $plan is going to be used in the HTML, that's where you need to make sure its properly filtered.