CodeIgniter: is $_POST already clean for db input?
This is my first app with CI and I want to know whether $_POST is clean and can I directly insert the data into db?
I have enabled $config['global_xss_filtering'] = TRUE;
Thank Yo开发者_StackOverflowu.
No, but $this->input->post() called without parameters will return all items passed through an XSS filter.
Also, if you are using it, the ActiveRecord documentation for codeigniter states the following:
It also allows for safer queries, since the values are escaped automatically by the system.
If you use CodeIgniter's Active Record access to the database, you don't have to worry about escaping values as it takes care of that for you.
No, because SQL is made up of pretty standard alpha numeric characters (the documentation). You should at the very least type your data and use php's mysql_real_escape_string()
(the documentation).
This prevents SQL injection, whereas XSS filtering does not.
Short answer: no Long answer: maybe, if you use more secure DB methods
If you use a parametrized function (ex: pgSQL has pg_query_params()) then you don't need to sanitize the data, you only need to sanitize the data if you concat your SQL, which is generally considered subpar coding.
It looks like things have changed in the current version of CodeIgniter (2.0.0)...
$this->input->post
does not work
and $_POST
is automatically cleaned when global_xss_filtering
is enabled.
精彩评论