3

We created a project using Codeigniter and its very cool and efficient.

CI have a good form validation feature that which helps to secure the system,however i am suffering to find the right way to use rules.

Please see below

Assume that ID is a integer field , so that i can set

$this->form_validation->set_rules("ID","FORM ID","required|trim|integer");

I think that its enough because form validation will return error if the ID field have something other than a integer.

But what should be the rules for a normal FORM field (text area or normal input type text field) ,

Requirements

  1. No HTML allowed (or need to strip those tags)
  2. XSS clean
  3. SQL injection prevention

Currently i am doing 

$this->form_validation->set_rules("FIELD_NAME","FIELD_NAME","required|trim|xss_clean|strip_tags");

is this enough to make the system secure ?

Red
  • 6,230
  • 12
  • 65
  • 112
  • Go through this i think u can use native functions like PDO, mysql_escape-string to prevent sql injections............http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection – Venkata Krishna Nov 21 '12 at 05:50
  • @Venkat CI have everything what we need , but we need to understand how to use. – Red Nov 21 '12 at 05:52
  • yeah you are correct but how would you know after u put certain rule to prevent sql injection whether it is working or not......do u know how to do sql injection......if so try with you are existing rules if it's failed then try with new functions – Venkata Krishna Nov 21 '12 at 05:55
  • I am not a master in security ,checking ONLY with my knowledge is insufficient and that's why i posted this question , the link u gave is not useful for CI. – Red Nov 21 '12 at 06:00

2 Answers2

6

Using Codeigniters validation library is the first step to strengthening your security. You should use it to remove any invalid characters (HTML, potential XSS/SQL attacks, etc).

As per your requirements:

strip_tags - remove any HTML tags
xss_clean - remove any potential xss attack strings

To prevent SQL injection attacks, you could also use something like alpha_numeric in your validation rules to secure against potentially dangerous characters by allowing only alpha numeric characters.

The other way to prevent SQL injection would be to use Codeigniters active record library when passing and retrieving data to and from the database. If you use Codeigniters active record as intended it will automatically strip out dangerous characters that could be used for SQL injection attacks.

Method 1 (removes invalid characters) - Take advantage of the active record libraries WHERE function parameters

$query = $this->db->where('username', $username);
$query = $this->db->get('users');

Method 2 (no protection) - Write the where statement directly

$this->db->where('username = '.$username);
$query = $this->db->get('users');

Method 3 (no protection) - Write the entire SQL statement directly into the query function 

$this->db->query('SELECT * FROM users WHERE username = '.$username);

When not using the active record library, codeigniter offers functions for escaping strings (making them safe to enter into the database).

$this->db->escape() This function determines the data type so that it can escape only string data. It also automatically adds single quotes around the data so you don't have to:

Example usage:

$this->db->query('SELECT * FROM users WHERE username = '.$this->db->escape($username));

Reference: http://codeigniter.com/user_guide/database/queries.html

Jeemusu
  • 10,415
  • 3
  • 42
  • 64
  • A small note CI allow Parametrized query , i am using that one ,also almost all my where clause (from users) are normally integers ,i think that using `intval` will protect something there. – Red Nov 21 '12 at 07:58
  • `$this->db->query('SELECT * FROM users WHERE username = ?', array($username));` same result and less painfull. – Robin Castlin Nov 21 '12 at 11:00
  • Could you please send me the security link, because I can't find its docs on google! – Duc Babe Mar 21 '20 at 07:04
1

and one more cool CI security feature

if you are getting values from a form, you can XSS clean by adding TRUE after the field name example: a field called first_name from a submitted form 

$firstname = $this->input->post( 'first_name', TRUE );
cartalot
  • 3,147
  • 1
  • 16
  • 14