Security in the encoder

Question

Security in the encoder

Good afternoon,

I have some doubts about security in CodeIgniter, first:

I have a controller: news.php, and in it I have a method called view

Example:

class News extends CI_Controller{ public function view( $id ) { $this->load->model('news_model'); $this->news_model->get_by_id( $id ); // ... } }

Is this form of work safe? no risk of SQL injection at url? whereas this page is available, therefore mywebpage / news / number_id. Would it be interesting to filter through intval () or unnecessary?

My second question is:

By default, the CodeIgniter xss filter can publish and receive, but an unknown way to filter HTML using CodeIgniter, I created a helper in CodeIgniter, is there some way similar to that in native CodeIgniter?

 function remove_xss_html($string){ if( is_array( $string ) ){ $return_array = array(); foreach( $string as $item ) { if(!get_magic_quotes_gpc()) { $return_array[] = addslashes( htmlspecialchars( strip_tags( $item ) ) ); } else { $return_array[] = htmlspecialchars( strip_tags( $item ) ); } } return $return_array; } else { return htmlspecialchars( strip_tags( $string ) ); } }

and the third and last question:

If I send the variable $ this-> input-> post ('my_var') directly to the database without a filter, do I run the risk of sql injection? CodeIgniter or filters so safe?

IMPORTANT: my English is not very good, I used Google translation and fixed everything I could.

Thanks everyone ...

+4

php sql-injection codeigniter

user875690 Aug 4 '11 at 17:53

source share

2 answers

Even if you are not using active recordings, automatic shielding is automatically provided. You just need to query db like this:

 $data=array($id, $name); $this->db->query("SELECT * FROM table WHERE id=? OR name=?", $data);

0

Janl Aug 4 '11 at 20:45

source share

Wesley murch · Accepted Answer · 2011-08-04T20:37:45+0000

If you use the Active Record class to interact with the database, the data will be automatically escaped:

In addition to simplicity, the main advantage of using Active Record features is that it allows you to create database-independent applications, because the query syntax is generated by each database adapter. It also provides more secure queries, as these values are automatically escaped by the system.

If not, and you execute the queries manually, you will need to avoid this.

Some tips on your function:

 public function view( $id ) { $this->load->model('news_model'); $this->news_model->get_by_id( $id ); // ... }

If $id not in the URL, you will receive error notifications. Set the default value:

 public function view( $id = NULL )

Then check the value in your controller. Example:

 if ( ! $id) { redirect('somwhere/else'); }

Also, make sure you get the result before continuing (I assume your model returns false here if the record is not found):

 $record = $this->news_model->get_by_id( $id ); if ( ! $record) // redirect with error message or something

You can check the type or integrity of $id as much as you want, but for simplicity I would just pass it to the model and return false if the record was not found.

Security in the encoder

More articles: