how sanitize input codeigniter 3?

php codeigniter security input sanitization
15,875

Solution 1

According to the Docs, the input class, does the following:

  • Filters the GET/POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters.
  • Provides XSS (Cross-site Scripting Hacks) filtering. This can be enabled globally, or upon request.
  • and some other processing, but for security, this is enough.

So, this solves the issue of SQL injection and XSS. For most usages, this is enough.

To enable XSS protection, use:

$val = $this->input->post('some_data', TRUE); // last param enables XSS protection.

Also, you may want to look into CSRF protection. But that's a bit tricky to enable if you're doing ajax calls.

Solution 2

Before accepting any data into your application, whether it be POST data from a form submission,URI data,you must follow these step:

  1. Filter the data.
  2. Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)
  3. Escape the data before submitting it into your database. CodeIgniter provides the following functions to assist in this process:

XSS Filtering

This filter looks for commonly used techniques to embed malicious JavaScript into your data

To filter data through the XSS filter use the xss_clean() method: Read More

Validate the data

CodeIgniter has a Form Validation Library that assists you in validating, filtering, and prepping your data

$this->form_validation->set_rules('username', 'Username','trim|required|min_length[5]|max_length[12]');

trimming the fields, checking for length where necessary and making sure that both password fields match. Read more

Escape all data before database insertion

Never insert information into your database without escaping it.

Refer query builder class for more info https://www.codeigniter.com/userguide3/database/query_builder.html

More info

Codeigniter does not make your application secyre see this https://security.stackexchange.com/questions/97845/how-secure-is-codeigniter-3-x

Everything really depends on the developer.frameworks will only provide a structure to build your applications.You will be more secure if you write core php.

Further Links:

How do you use bcrypt for hashing passwords in PHP?

Are PDO prepared statements sufficient to prevent SQL injection?

Share:
15,875
SoheilYou
Author by

SoheilYou

Updated on June 14, 2022

Comments

  • SoheilYou
    SoheilYou almost 2 years

    First of all I should remind you that I have read this post and few other posts about my question but most of all are almost old and they are for about 3 years ago.

    Now I'm using CodeIgniter 3 and I want to know what's the best sanitize filter for my data which I'm retrieving them from users before insert into database.

    This is for my website to register and and I don't know what kind of user is registering and I can't trust them. And it is possible that it will be dangerous I want to sanitize all input before inserting it into database I don't know input class enough for sanitizing it ?
    Please tell me the codeigniter sanitizing functions !

    I have read security classs in codeigniter document, but I want to be sure.

  • SoheilYou
    SoheilYou over 8 years
    I am using ajax , I want to upload file ajax .is it incurrect ?
  • Alex Tartan
    Alex Tartan over 8 years
    Of course it's not. But if you would have enabled CSRF, you would have had a lot of issues getting it to work. Personally, on all of my CI projects, I used $this->input->post without regret (so far). And haven't ran into any security breaches
  • DFriend
    DFriend over 8 years
    It is not very difficult to get AJAX to work with CSRF enabled. The minor steps required are easy to implement and well worth the piece of mind.
  • Marcelo Agimóvel
    Marcelo Agimóvel almost 7 years
    You better check again. CI3 manual says GLOBAL_XSS_FILTERING is deprecated and xss_filtering should be use to output, not input.
  • tpartee
    tpartee over 4 years
    Comments like "try to start new projects in a real framework, such as Zend, Laravel, etc" are completely inappropriate on StackOverflow. Please familiarize yourself with the community guidelines.
  • tpartee
    tpartee over 4 years
    Comments like "You will be more secure if you write core php." are opinions and not really welcome in answers. Further, you have broken links in your answer, might want to fix those.
  • Elte156
    Elte156 about 4 years
    The Docs Link is Broken; Please reference link instead.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Get post values when the key is unknown in CodeIgniter
Why are CodeIgniter application files in the public_html folder?
how to get the value of form input box in codeigniter
Codeigniter - check if user is logged and exists (it's a real user)
CodeIgniter - why use xss_clean
Sanitize file path in PHP
Codeigniter: How can I encrypt password before submitting the form to the controller?
Good Php Framework for strong security
Codeigniter application getting hacked, code injected in index.php
Where_in in codeigniter