Question regarding XSS.

Hey guys,

Just a quick question really as i am a little confused as to when to filter my data.  

I have always been used to filtering my data as it comes in from a form, before it is entered into the database.  So lets take for example a registration form, where i require a Username, Password and Email address.  After the Form Validation rules have been passed I would then use something like this before its saved to the database:-

PHP Code:

// Form has passed validation, sanitize the data.
$email = strip_tags( $this->security->xss_clean( $this->input->post('email') ) );
$password = strip_tags( $this->security->xss_clean( $this->input->post('password') ) );
$username = strip_tags( $this->security->xss_clean( $this->input->post('username') ) );

// Perform the registration.
$this->ion_auth->register($identity, $username, $password); 


This is purely a example of how I may handle this.  Is this bad practice? am i going overboard here?

I was reading a article earlier that says the Raw data should not be tampered with as it enters the application, however once its displayed as Output to the browser this is when the data should be filtered?

Any help to clarify this situation would be great guys.

Chris

Protect or sanitize your variables is essential especially when you valid a form because you can insert datas in your database or else.
Your way to do is good.
you can do this :

PHP Code:

$email = $this->input->post('email_form', TRUE) ; // the same as $this->security->xss_clean($this->input->post('email_form')) ; 


As mentioned in the upgrade notes from CI 2.2 to CI 3

A largely unknown rule about XSS cleaning is that it should only be applied to output, as opposed to input data.

Source: http://www.codeigniter.com/userguide3/in...ation-rule

More info on the matter, http://lukeplant.me.uk/blog/posts/why-es...-bad-idea/