I am using codeigniter, and at the moment I am making full body search, and I am wondering what is the best practice to do this. For now I have this:
$keyword = $this->db->escape_like_str(trim($_POST['keyword']));
After that, search is performed. Is this safe or I need to do something more (XSS Filtering is on)?
Because you are accessing the _POST variable directly, you're bypassing all CI's XSS/Escaping and security features. You should be getting that as:
$this->input->post('keyword');
This is automatically escaped by CI, and you can perform other validations before just throwing it at the DB. Also if you use active record, then all values are automatically escaped as required too.
Related
In order to have best up to date protection for users against XSS attacks the data should rather be sanitized when displayed to users rather than at the moment of db insert, if I got this at all correct. So my question is can I automate data sanitization in CakePHP so that the linked models automatically retrieved by Cakes queries are sanitized at point of queries as well? Or should I always manually loop calls for all the linked models' sanitization methods?
All output that is not passed through one of the core helpers or foreign helpers that are known to take care of it should be passed through the h() method in the views.
echo h($model['Model']['name']);
If you want to do it in the model the Model::afterFind() callback is the right place to modify the data. But I would not recommend to sanitize everything there because there are cases like editing the data or exposing the same data to an API or as JSON that might require no or a different sanitization.
See HtmlPurifier and HtmlPurifier for CakePHP as well. It is a strong filter and sanitation lib.
In your views, just use
<?php echo h($data['Model']['field']); ?>
h is a wrapper for htmlspecialchars().
Always confused about form resubmission . I know Header and session are the right way. But I don't know how can I proper use in codeigniter. Suppose
For single insert and update query
$this->db->query(' insert/up query');
$this->session->set_flashdata('success_message','successfully inserted');
redirect('my_contoller/home/index');
For pass $data array
$data['pass_data']="some array elements";
$this->session->set_flashdata('pass_data_from_flash_data',$data['pass_data']);
redirect('my_contoller/home/index',$data);
If above technique are right how can I pass query's data for retrieving. Suppose I have a query which return many data. Such as
$query = $this->db->query(" a query which return large data");
$data['return_large_result']=$query->result_array();
I just confused to using set_flashdata function. Is the right way?
The above method mentioned you are using is a valid web development design pattern. Codeigniter is a bit messy for this method but essentially yes it is the right way within Codeigniter.
Other frameworks such as Laravel support this feature better, allowing you to access old input via Input::old() amongst other methods.
I am writing a search function that enables users to search a particular table on my database. My website runs on CodeIgniter.
For the search function, I use $_GET instead of the CodeIgniter $this->input-get() since I had trouble using the latter within a helper function.
Now, here's a security question:
What is the best way to sanitize and filter malicious characters in the $_GET array in order to prevent XSS and SQL injection?
Bearing in mind that data in the $_GET array will be used to query the database and retrieve info from it.
Is there a recursive way to clean the entire $_GET array without having to go thru one by one element?
Should I use PHP's filter methods or CodeIgniter's?
Any advice will be greatly appreciated!
Thanks in advance!
Codeigniter disables $_GET by default. Using the URI class you can simulate $_GET variables:
GET parameters in the URL with CodeIgniter
You can hack around it and use $_GET, which it sounds like you've done. But I wouldn't recommend that. You should use CodeIgniter's Input class. That provides XSS filtering and you can clean the entire $_GET array by running:
$this->input->get(NULL, TRUE); // returns all GET items with XSS filter
If you use Codeigniter's database utility class to run your queries, it has an escape function built in. Look at the Escaping Queries section.
http://ellislab.com/codeigniter/user-guide/database/queries.html
You can use $this->db->escape($variable) to escape values in queries. It is strongly recommended to use CI's input class though.
Read more at : http://ellislab.com/codeigniter/user-guide/database/queries.html
I've got (I hope) a very simple question for experts at MVC structure:
where to apply input filtering and validation? Controller or model?
I've read a lot of tutorials and manuals on filtering user input, but haven't noticed a lot of discussion where it should be applied. When using forms, it's simple, actually almost everything is done for you by Zend_Form via Zend_Filter and Zend_Validate.
But when I have to filter single value from user input and pass it to the model, what is the best practice, to do cleaning before passing it to the model, or in the model itself?
Lets assume I am creating a model, that other people will use too, and it is doing some important work on filesystem. Am I 100% sure other people will properly prepare parameters before passing it to the model? I am not, so the best would be cleaning parameters in the model itself.
But that's just my thoughts, and as I said before, I'd like to hear yours, right from the masters of the profession ;)
Nice day.
IMHO it depends on whether you know in advance the kind of validation you will have to do.
If it's something that could be expressed as a regex, leave it in the controller, otherwise I think the model should be its place.
Examples.
You have to validate an email address: controller, so the model can be passed some sanitized input and just take care of the actual processing.
You have to check whether a path in the filesystem exists: the controller will take care of seeing if it's a well-constructed path; the model will check if it actually exists in the filesystem in question.
You have to check whether an user-provided string $x can produce an hash $y you stored somewhere: model.
I would say in the controller. My understanding is that models should be constructed under the assumption that they are being given valid data to work with (but with sensible precautions in place in case they're not, such as using prepared statements for database access), and leaving the actual validation of data to an outside agent, in this case the controller.
Typically you do it in the controller. Model should be dealing with legit, usable data.
I've seen different comments all over the place, some say that zend framework automatically sanitizes post/get data but others say it doesn't.
What's the deal? I've seen that doing it in the predispatch with a foreach on getParams is the quickest way, but does anyone have any suggestions?
Probably the deal is about Zend_Controller_Request vs the Zend_Db. Request data are often put into the DB.
Request object does not escape anything. You may force it to do using filters, form filters or e.g. using the reflection technique described here:
Actions, now with parameters!
Zend_Db queries are basically escaped like in other ORM's, like in PDO.
It does not automatically sanitize any request data. It cannot, because that requires it to know how to sanitize it, e.g. should $_GET['foo'] be string sanitized or for numbers? You have to tell it.
Whether you sanitize input manually in the respective Controller Actions or in an ActionHelper or automatically in a Controller Plugin or during bootstrap or with a mixture of these is up to you.
Use what is appropriate.
It definitely doesn't automatically sanitise your variables for you. You could do something like foreach or use array_map depending on the context, for example:
$_POST = array_map('mysql_real_escape_string', $_POST);
Ideally though you should treat each variable on a case by case basis. Personally i make a lot of use of PHP's filter_var for filtering and sanitizing.