• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
codeigniter and mysql security

#1
[eluser]MaxPar[/eluser]
I'm using CodeIgniter to develop a web application. Part of involves users entering text into a form that is then stored in a mysql database.

My background in programming mostly comes from college classes that I took while studying engineering, so I'm not really so familiar with internet security and database applications. I've read a lot about "sql injection attacks" - this is apparently a big cause of fear, as it would let someone run random code on my server.

What I want to know is simple: Is it a Really Bad Idea to let users enter whatever they want into a textarea in a form, and then directly plug it into an entry in my mysql database?

I need the user to have some amount of freedom in what they can enter, specifically, HTML and Chinese characters.

I've know that PHP has a function called mysql_real_escape_string() - is this something that I should be using to clean the textarea's contents before I enter it into my database?

#2
[eluser]Pascal Kriete[/eluser]
Codeigniter will escape the text for you when using active record. You should definitely xss_clean all input though.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.