SQL Injection and Codeigniter -


Some doubts about Codeigniter and its input handling capabilities. Some people may be a bit weird, but they can at least doubt it.

  1. If I use class function in the code ignition, is my input not against SQL injection?
  2. I read somewhere that it does, but how can I not understand it? Or why?
  3. In any way does XSCCL deal with SQL injection?

Is my input prevented against SQL injection?

is not exactly 'automated', but it provides parameterized queries. Whether or not CodeIgniter, you should use string-based querying queries in parametric queries, whenever possible. 

  $ bof = "a'b"; $ Zot = 'a \ b'; // unsafe! Do not do this! // $ this- & gt; Db- & gt; Query ("SELECT foo from bar where boof = '$ bof' and zot = '$ zot'"); // Secure but annoying to write // $ this-> Db- & gt; Query ("SELECT foo bar bar WHERE bof = '. $ This- & gt; db- & gt; Escape ($ bof).' 'And zot ='" $ this-> db-> Jump ( $ Zot). "'"); // This is what you want // $ this-> Db- & gt; Query (times from 'SELECT foo where boof =? And zot =?', Array ($ bof, $ zot));

Note that there is no interaction with 'input': when you create SQL queries from the wire, use the should parameter or Avoid to fit, whether it is user input or not; it is a matter of simple purity; Security is a side effect of that purity.

Similarly, when you do output text in HTML, you get the HTML-encoded & lt; , & amp; and " in the letter then . If you use them, there may be a problem in the future which will be able to remove or remove those characters with the input There is no need to go without escaping to SQL or HTML.You have unexpected SQL-escaping in HTML (which you badly need to see backslashing in self-written text in the written app) and your output from unwanted HTML-escaping in SQL. You should take the text and you should take the text any way you are not safe from anywhere except for direct user input (say, the material is already in the database).

Does xssclean deal with SQL injection from?

No, its purpose is HTML injection, but it is worse than useless . .

"XSS filtering" is completely fake (again , CodeIgniter's or anyone else's) can be prevented from accurately HTML-escaping output, do not confuse the investment. If your application is not already secure, XSS filtering will protect you substantially not ; The best will remove your existing flaws and give you the wrong meaning of security. It will also organize many valid inputs that CI thinks looks like the tag.


Comments

Post a Comment