Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming URI Segment Database Safety
URI Segment Database Safety
  • El Forum
    Guest
  •  
#1
06-28-2012, 04:17 PM

[eluser]nullsys[/eluser]
Hi all!
I'm sure this is fairly standard stuff, but it's better to be safe than sorry (pun not intended).

I'm working with pulling $this->uri->segment(n) data to query an ID in the database. Fairly standard stuff.
But, do I need to run my own validation and security for this before sending it through Active Record?

I'm already ensuring the uri->segment is a valid number by doing the following:
Code:
preg_match('/^-?[0-9]+$/', (string)$param)

Can anyone think of anything else I might need to do (if anything) before sending it to Active Record?

Thanks in advance.
  • El Forum
    Guest
  •  
#2
06-28-2012, 08:37 PM

[eluser]Samus[/eluser]
I think that largely depends on the project, generally you'd just get the id and query the database straight. But if your project requires you to do more then you do more, such as logging or whatever.

also i'd use is_numeric() rather than regex
  • El Forum
    Guest
  •  
#3
06-29-2012, 03:28 AM

[eluser]nullsys[/eluser]
Hi!
Thanks for the reply.

I'm a little more concerned with safety, when passing the user generated data directly into Active Record, rather than what else I can do with it.

Also, you shouldn't use is_numeric() to check ID's.
is_numeric() allows much more than just what would you expect for a database ID.
For example: "4.4" would cause an error, but still return TRUE from is_numeric().
I suppose an alternative method would be to use Codeigniter's form_validation, but I don't want to load up libraries just to check an ID.

However, I'm more worried about passing a URI string of data to Active Record, does it require any extra security measures, or will Active Record handle it?
PS: I've been reading http://ellislab.com/codeigniter/user-gui...urity.html but I just wanna be sure Wink
  • El Forum
    Guest
  •  
#4
06-29-2012, 04:52 AM

[eluser]boltsabre[/eluser]
I'd use this code, it's quicker:
Code:
if ( (int)$num == $num && (int)$num > 0 ){
   //it's a valid positive int/id
}
  • El Forum
    Guest
  •  
#5
06-29-2012, 05:10 AM

[eluser]weblyan[/eluser]
Active record will escape the the code. So there is not any risk for injections if that is wat you are asking. This is one of the privileges of using a framework. However when saving user generated strings you will have to make sure they are xss escaped before posting them on the website. Codeigniter can be set to do this on all userdata.




Theme © iAndrew 2016 - Forum software by © MyBB