Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion SQL Injection and XSS filtering
SQL Injection and XSS filtering
  • El Forum
    Guest
  •  
#1
09-29-2012, 12:05 PM

[eluser]royduin[/eluser]
Hi!

In the past I wrote websites in "plain php". There I used mysql_real_escape_string for every variable which I want to store in the database.
When I got something out of the database or just displaying some input I used htmlentities($string, ENT_QUOTES, "UTF-8") everywhere, expect places where I want to display it als "real html" like some pages stored in the database written in some WYSIWYG editor (that only for the staff, visitors can't).

That's doing the job and is for my opinion 100% save for SQL Injection and XSS.

Now I'm using codeigniter and want it 100% save to.
I'm using the active record class for my database work to prevent SQL injection. 100% save from SQL Injection?
And in the config I've got XSS filtering on, but that's not 100% save I think.. Or it does not want I expect.

Somebody puts something in a input like "<h1>Something</h1>" (without the quotes) and I'm going to display this, it's not escaping or something, so the H1 is on the page!
Not really an XSS problem but not what I want. So what to do?

So...
- XSS filtering in the config, on or off?
- By using the active record class, 100% save from SQL injection?
- By showing some input always run it trought htmlentities like I did before?

Or...
- When validating the input with the form validation place htmlentities in the rules? But than I don't have "clear" information in the database.. It's and output problem not an input problem..

Please help! Smile

Thanks! Roy
  • El Forum
    Guest
  •  
#2
09-29-2012, 12:44 PM

[eluser]keevitaja[/eluser]
by enabling xss, all post and cookie items accessed through $ci->input object are filtered. i'd recomment you turn it on by default. html <tags> are totally different things. it has nothing todo with security. when you create db record containing <> it will be stored in db as it is. to print this record to the browser you still need to run htmlspecialchars() or equivalent function.

and yes, with active record all db inserts using db->insert() are escaped!
  • El Forum
    Guest
  •  
#3
09-30-2012, 04:43 AM

[eluser]royduin[/eluser]
I've found "html_escape" in CodeIgniter.
If I place this everywhere I'm displaying user input, that will fix it!?

So my Codeigniter website is now 100% save, and when I use that I'm protecting my website too for "html injection" Tongue

And.. with the form validation class, the "set_value" is already run trought html_escape?




Theme © iAndrew 2016 - Forum software by © MyBB