开发者

CodeIgniter: is $_POST already clean for db input?

开发者 https://www.devze.com 2022-12-24 14:50 出处:网络
This is my first app with CI and I want to know whether $_POST is clean and can I directly insert the data into db?

This is my first app with CI and I want to know whether $_POST is clean and can I directly insert the data into db?

I have enabled $config['global_xss_filtering'] = TRUE;

Thank Yo开发者_StackOverflowu.


No, but $this->input->post() called without parameters will return all items passed through an XSS filter.

Also, if you are using it, the ActiveRecord documentation for codeigniter states the following:

It also allows for safer queries, since the values are escaped automatically by the system.


If you use CodeIgniter's Active Record access to the database, you don't have to worry about escaping values as it takes care of that for you.


No, because SQL is made up of pretty standard alpha numeric characters (the documentation). You should at the very least type your data and use php's mysql_real_escape_string() (the documentation).

This prevents SQL injection, whereas XSS filtering does not.


Short answer: no Long answer: maybe, if you use more secure DB methods

If you use a parametrized function (ex: pgSQL has pg_query_params()) then you don't need to sanitize the data, you only need to sanitize the data if you concat your SQL, which is generally considered subpar coding.


It looks like things have changed in the current version of CodeIgniter (2.0.0)...

$this->input->post does not work

and $_POST is automatically cleaned when global_xss_filtering is enabled.

0

精彩评论

暂无评论...
验证码 换一张
取 消