Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Libraries & Helpers How to use CSRF & XSS ?
How to use CSRF & XSS ?
  • Offline manigopal
    Junior Member
  • **
  • Posts: 41
    Threads: 12
    Joined: Sep 2019
    Reputation: 0
#1
03-21-2020, 03:18 AM
(This post was last modified: 03-21-2020, 03:20 AM by manigopal.)

For security i want to use CSRF / XSS



What i have tried,



CSRF,

    1. Enabled $config['csrf_protection'] = TRUE; in autoload.php

    2. used <?php echo form_open(base_url().'admin'); ?> ~ which will use CSRF when we use form_open

@csrf if anything missing point it out



XSS,

    1.  $autoload['helper'] = array('url','file','form','html','active_class','security'); ~ not sure this method is right

    2. Added $this->load->helper('security'); at function __construct() 



  AND for inserting data with xss_clean i used the following,



   $form_data = array(

   'category_name'        => $this->security->xss_clean($_POST['category_name']),

   'category_image'      => $this->security->xss_clean($final_name),

   'category_description'  => $this->security->xss_clean($_POST['category_description']),

   'parent_category'  => $this->security->xss_clean($_POST['parent_category']),

   'is_featured'  => $this->security->xss_clean($_POST['is_featured']),

    'status'    => $this->security->xss_clean($_POST['status'])

    );


-- if anything missing let me know guys.
Reply
  • Offline jreklund
    Administrator
  • *******
  • Posts: 1,408
    Threads: 3
    Joined: Aug 2017
    Reputation: 42
#2
03-21-2020, 04:26 AM

Hi, You are on the right track with CSRF. However, xss_clean should not be used, you should use the validation filter for input and use html_escape on output.
https://codeigniter.com/user_guide/insta...ation-rule
Reply
  • Offline manigopal
    Junior Member
  • **
  • Posts: 41
    Threads: 12
    Joined: Sep 2019
    Reputation: 0
#3
03-21-2020, 04:35 AM

(03-21-2020, 04:26 AM)jreklund Wrote: Hi, You are on the right track with CSRF. However, xss_clean should not be used, you should use the validation filter for input and use html_escape on output.
https://codeigniter.com/user_guide/insta...ation-rule


Have used form_validation like this,

$this->form_validation->set_rules('category_name', 'Category Name', 'trim|required');
//$this->form_validation->set_rules('category_image', 'Category Image', 'trim|required');
$this->form_validation->set_rules('is_featured', 'Featured', 'trim|required');
$this->form_validation->set_rules('status', 'Status', 'trim|required');
Reply
  • Offline jreklund
    Administrator
  • *******
  • Posts: 1,408
    Threads: 3
    Joined: Aug 2017
    Reputation: 42
#4
03-21-2020, 08:03 AM

Okey, for e.g. status, are that a checkbox? With just a number? If so apply integer/numeric, so that people can't submit any other value than you expect. You should only accept the value that you need and turn down everything else.

Therefor they can't add for example JavaScript code.

https://codeigniter.com/user_guide/libra...-reference
Reply
  • Offline manigopal
    Junior Member
  • **
  • Posts: 41
    Threads: 12
    Joined: Sep 2019
    Reputation: 0
#5
03-21-2020, 09:24 AM

(03-21-2020, 08:03 AM)jreklund Wrote: Okey, for e.g. status, are that a checkbox? With just a number? If so apply integer/numeric, so that people can't submit any other value than you expect. You should only accept the value that you need and turn down everything else.

Therefor they can't add for example JavaScript code.

https://codeigniter.com/user_guide/libra...-reference


status is select option ~ enable / disable
Reply




Theme © iAndrew 2016 - Forum software by © MyBB