Welcome Guest, Not a member yet? Register   Sign In
Preventing SQL Injection Attacks using Active Record


I am using Codeigniter (latest version) and generate all my MySQL queries using Active Record. However, recently, one of my endpoints was hacked using SQL injection. They injected an "OR" clause in my script causing the query to respond when it should have failed. This is a major issue for me and I want to understand what the recommended way of sanitizing variables is when it comes to Active Record. The documentation says that Active Record automatically escapes queries but it seems to fail in this case.

My fix was to check the input data against database information which could not be tampered with. However, I need to understand how to secure all my scripts.

Thank you for your help.

Hi harryx9x9,

Use some validation specially "xss_clean". Please check http://ellislab.com/codeigniter/user-gui...greference

You can use "xss_clean" by default, please check XSS Filtering in http://ellislab.com/codeigniter/user-gui...input.html

You can also protect by CSRF protection.

Check more in http://ellislab.com/codeigniter/user-gui...urity.html


Going off what was said earlier,

you should be doing the following :

1) Always Sanitize your data. Most people will tell you to use the xss_clean but in my opinion you should stray away from that. I would rather suggest for you to use PHP's native functions :


Keep in mind though the CI - Validation is great so no need to use the PHP native validation functions.

But in general I would use the PHP sanitation functions.

2) The CSRF for CI Is pretty good if you ask me... (update the token regularly probably around 7200 seconds - 2hours) You can also use captcha...

3) Use PDO ... PLEASE....




4) For some reason CI doesn't mention this but there are two steps at fighting off XSS.. first its input validation -> filter input -> escape output...

For some reason CI (again idk why) uses a black list approach (which is arguably bad - not going to go in depth, use google) and doesn't escape data.

htmlspecialchars($yourvariable, ENT_QUOTES, 'UTF-8');
can go a long way!

And sorry to hear about your SQL-Injection...

for more reading on PDO in CI

go to ci/system/database/drivers/pdo_driver.php

and set these variables :

function db_connect()
  $this->options['PDO::ATTR_EMULATE_PREPARES'] = FALSE;
  return new PDO($this->hostname, $this->username, $this->password, $this->options);

these are found around line 94 the emulate prepares will add another layer of database abstraction.

Also make sure to explicitly state a char_set. there are SQLi attacks that take advantage of even PDO because they use different char_sets.. you must explicitly state your char_set *your stating probably utf-8 which is good!*

Here is the simple rule to protect against sql inject. Never use direct queries like this, instead use binded variables on sql queries.

Never do:
$query= $this->db->query('select * from users where username="'.$username.'" and password="'.$password.'"');

Should do:
$query= $this->db->query("select * from users where username=? and password=?", array($username,$password));

Here is the nice article about this.
Protect against sql-injection

Theme © iAndrew 2016 - Forum software by © MyBB