开发者

Security in the codeigniter

问答 作者:

Good afternoon,

I'm having some doubts about the safety in CodeIgniter, the first is:

I have a controller: news.php, and in it I have a method called view

Example:

class News extends CI_Controller{

    public function view( $id )
    {
        $this->load->model('news_model');
        $this->news_model->get_by_id( $id );
        // ...
    }
}

This form of work is safe? no risk of SQL injection by URL? taking into consideration that this page is accessed so mywebpage / news / number_id. It would be interesting to filter through intval () or unnecessary?

My second question is:

By default CodeIgniter xss filter can post and get, but unknown a way to filter HTML by CodeIgniter, I created a helper down in CodeIgniter, there is some way similar to that in native CodeIgniter?

function remove_xss_html($string){

    if( is_array( $string开发者_JAVA百科 ) ){

    $return_array = array();

        foreach( $string as $item )
        {
            if(!get_magic_quotes_gpc())
            {
                $return_array[] =  addslashes( htmlspecialchars( strip_tags( $item ) ) );
            }
            else
            {
                $return_array[] =  htmlspecialchars( strip_tags( $item ) );
            }
        }
            return $return_array;
    }
    else
    {
        return htmlspecialchars( strip_tags( $string ) );
    }
}

and the third and last question is:

If I send a variable $ this-> input-> post ('my_var') directly to the database without the filter, I run the risk of a sql injection? CodeIgniter or filters so safely?

IMPORTANTE: My English is not very good, I used google translate and fix what I could.

Thank you all ...

If you're using the Active Record class for DB interaction the data will be escaped automatically:

Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system.

If not and you are manually running queries, you'll need to escape it yourself.

Some advice on your function:

public function view( $id )
{
    $this->load->model('news_model');
    $this->news_model->get_by_id( $id );
    // ...
}

If $id is not present in the URL, you will get error notices. Set a default value:

public function view( $id = NULL )

Then check the value in your controller. Example:

if ( ! $id)
{
    redirect('somwhere/else');
}

Also, make sure you get a result before continuing (I assume your model returns false here if no record is found):

$record = $this->news_model->get_by_id( $id );
if ( ! $record) // redirect with error message or something

You can validate the $ids type or integrity as much as you want, but for simplicity I would just pass it over to the model and return false if no record was found.

Even if you not running active records automatic escaping is provided. You just need to query the db like this: 

$data=array($id, $name);
$this->db->query("SELECT * FROM table WHERE id=? OR name=?", $data);

继续阅读:codeigniterphpsql-injection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9