开发者

Codeigniter output and input security

开发者 https://www.devze.com 2023-04-11 23:59 出处:网络
In case of user submitted text, when outputting to the page, what text filter do you use both in input and output?开发者_开发知识库

In case of user submitted text, when outputting to the page, what text filter do you use both in input and output?开发者_开发知识库

As I understand it, using $this->input->post('something',true) will clean XSS content from the input data, so there is no other thing to do to be secure? Something like htmlspecialchars(), strip_tags(), etc.?

Also i would like to know if for example htmlspecialchars() is good to use, why CI security library doesn't applyes htmlspecialchars() by default to the passed string?


You should use the form_validation library. You can do rule based checking and filtering. This is a much more robust way of validating input data.

Here are the built in rules and any defined function that takes one parameter can be used as a filter/rule.

required
matches
min_length
max_length
exact_length
greater_than
less_than
alpha
alpha_numeric
alpha_dash
numeric
integer
decimal
is_natural
is_natural_no_zeroetc    
valid_email
valid_emails
valid_ip
valid_base64


Kinda depends on what you're doing with this input, but most likely you're going to want to run the string through htmlspecialchars() also.


To my understanding, you would like to store user submitted text in a database, and then later display it on a page -- kind of like a basic commenting system or something. You just don't want any naughty/incomplete HTML characters breaking your page when outputting it.

Whenever you have user submitted data, you want to utilize the form_validation library to clean it up and sanitize it as much as possible as a good security measure. If it goes to your database, you should use Active Records or Query Binding to get additional security from Codeigniter, such as escaping the strings, etc.

Let me show my solution on submitting and outputting user's input on a website. There are probably better ways to do this, but this will get the job done.

<?php

/*Controller
**************************************************/

class Something extends CI_Controller {

     function comments_or_whatever() {
         //Required -> trim value -> max_length of 100 -> strip HTML tags -> remove additional HTML entities missed by strip tags
        $this->form_validation->set_rules('input_1', 'The First User Input', 'required|trim|max_length[100]|xss_clean|strip_tags|callback__remove_html_entities');
        $this->form_validation->set_rules('input_2', 'The Second User Input', 'trim|exact_length[11]|xss_clean|strip_tags|callback__remove_html_entities');

        if ($this->form_validation->run() == FALSE) {
                //form didn't validate.. try again display error messages
                $this->load->view('your_view');
            }
        } else {
            $input_1 = $this->input->post('input_1');
            $input_2 = $this->input->post('input_2');

            $submission_array = array(
                        'db_field_1' => $input_1,
                        'db_field_2' => $input_2
                        );
            $this->load->model('comments');
            $result = $this->comments->submit_comments_or_whatever($submission_array);

            if ($result['is_true'] == TRUE) {
                //creates a temporary flash message and redirects to current page
                //if on a windows server use 'refresh' instead of 'location'
                $this->session->set_flashdata('message', '<div class="message">'.$result['message'].'</div>');
                redirect('something', 'location');
            } else {
                $data['message'] = $result['message'];
                $this->load->view('your_view', $data);
            }
        }
    }

    // Very important to get rid calling HTML Entities via HTML number codes such as &#60 etc. Strip_tags does not do this.
    // This is privately called during validation from the callback__remove_html_entities custom callback
    function _remove_html_entities($submission) {
        $submission = preg_replace("/&#?[a-z0-9]{2,8};/i","",$submission);
        return $submission;
    }
}

/* Model
 ****************************************/
class Comments extends CI_Model {

    function submit_comments_or_whatever($submission_array) {
        // Active record escapes string and does additional security 
        $query = $this->db->insert('comments', $submission_array);

        if ($query == TRUE) {
            $data['is_true'] = TRUE;
            $data['message'] = 'Your message has been successfully shared!';
            return $data;
        } else {
            $data['is_true'] = FALSE;
            $data['message'] = 'Sorry, but there was an error dude inserting your message into the database.';
            return $data;
        }
    }
}

/* View -> your_view.php
****************************************/

<?php echo validation_errors('<div class="message">', '</div>'); ?>
<?php echo $this->session->flashdata('message'); ?>
<?php if (!empty($message)) echo '<div class="message">'.$message.'</div>'; ?>




<?php echo form_open('something/comments_or_whatever'); ?>

<?php echo form_label('The First User Input', 'input_1'); ?><br>
<?php $input_1_form = array('name' => 'input_1', 'id' => 'input_1', 'value' => set_value('input_1')); ?>
<?php echo form_input($input_1_form); ?><br>

<?php echo form_label('The Second User Input', 'input_2'); ?><br>
<?php $input_2_form = array('name' => 'input_2', 'id' => 'input_2', 'value' => set_value('input_2')); ?>
<?php echo form_input($input_2_form); ?><br>

<?php echo form_submit('submit', 'Dude, submit my user inputed text!'); ?>
<?php echo form_close(); ?>

This code assumes you autoload the Form Validation, Sessions, and Database Libraries and the Form Helper. Now, all your user inputed data is stripped to a bare minimum of plain text using a custom Regular Expression call back during form validation. All naughty HTML characters are gone/sanitized, completely. You can now be worry-free to output the submitted data anywhere you'd like on a webpage without it breaking or being a security concern.

The problem with just doing HTMLSpecialChars() and html decode is it doesn't account for incomplete HTML tags. Hopefully this helps, best of luck dude, and as always, nothing is ever completely secure.

0

精彩评论

暂无评论...
验证码 换一张
取 消