Does the Codeignited cleans and secures the form input (for DB injection and XSS etc )automatically and I can use like following?
$this->input->p开发者_JS百科ost('name')
or do i need to secure it by myself? What would be the better way to do that? Thanks.
In "config.php" in your application's "config" folder, there's a settings for you to enable global XSS filtering:
$config['global_xss_filtering'] = FALSE;
The second parameter of the post() function specifies whether or not to apply the XSS filter to that line:
$this->input->post('name', TRUE);
Finally, you can use the form validation class to validate the data:
$this->form_validation->set_rules('name', 'Name', 'xss_clean');
You should avoid using the global XSS filtering as it's quite resource intensive.
NO, it doesn't give you 100% security.
Especially because it dependes on where the input goes. If you're concerned about XSS attacks, you could pass a TRUE as second paramether and have the XSS filter be applied to that input (but beware as the operation is quite costrly in term of resources, so don't use wildly)
$this->input->post('name', TRUE)
Read more on Input class on the USer Manual.
If the input is going into the database, than you either escape it manually with $this->db->escape()
(and its other cousins), or you use query bindings or, for the sake of speed and simplicity, you can rely to the Active Record Class which automatically escapes all dats entering the query.
(this if you don't want to use your custom escaping, with mysql_real_escape_string, or the mysqli_ and PDO prepared statements)
Edit:
Yes, the XSS filter can be loaded in configs, but it's a very deep and thorough process, which takes up a lot of resources. As they say:
Note: This function should only be used to deal with data upon submission.
It's not something that should be used for general runtime processing since it requires
a fair amount of processing overhead.
Note that you also has Cross Site Request Forgery protection (CSRF) , more here.
If you're worried about performances, you could as well use php native htmlentities($str, ENT_QUOTES);
before outputting $str on the html page.
精彩评论