SQL Injection and XSS filtering

#1
[eluser]royduin[/eluser]
Hi!

In the past I wrote websites in "plain php". There I used mysql_real_escape_string for every variable which I want to store in the database.
When I got something out of the database or just displaying some input I used htmlentities($string, ENT_QUOTES, "UTF-8") everywhere, expect places where I want to display it als "real html" like some pages stored in the database written in some WYSIWYG editor (that only for the staff, visitors can't).

That's doing the job and is for my opinion 100% save for SQL Injection and XSS.

Now I'm using codeigniter and want it 100% save to.
I'm using the active record class for my database work to prevent SQL injection. 100% save from SQL Injection?
And in the config I've got XSS filtering on, but that's not 100% save I think.. Or it does not want I expect.

Somebody puts something in a input like "<h1>Something</h1>" (without the quotes) and I'm going to display this, it's not escaping or something, so the H1 is on the page!
Not really an XSS problem but not what I want. So what to do?

So...
- XSS filtering in the config, on or off?
- By using the active record class, 100% save from SQL injection?
- By showing some input always run it trought htmlentities like I did before?

Or...
- When validating the input with the form validation place htmlentities in the rules? But than I don't have "clear" information in the database.. It's and output problem not an input problem..

Please help! Smile

Thanks! Roy

#2
[eluser]keevitaja[/eluser]
by enabling xss, all post and cookie items accessed through $ci->input object are filtered. i'd recomment you turn it on by default. html <tags> are totally different things. it has nothing todo with security. when you create db record containing <> it will be stored in db as it is. to print this record to the browser you still need to run htmlspecialchars() or equivalent function.

and yes, with active record all db inserts using db->insert() are escaped!

#3
[eluser]royduin[/eluser]
I've found "html_escape" in CodeIgniter.
If I place this everywhere I'm displaying user input, that will fix it!?

So my Codeigniter website is now 100% save, and when I use that I'm protecting my website too for "html injection" Tongue

And.. with the form validation class, the "set_value" is already run trought html_escape?


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.