2

I am writing a search function that enables users to search a particular table on my database. My website runs on CodeIgniter.

For the search function, I use $_GET instead of the CodeIgniter $this->input-get() since I had trouble using the latter within a helper function.

Now, here's a security question:

What is the best way to sanitize and filter malicious characters in the $_GET array in order to prevent XSS and SQL injection?

Bearing in mind that data in the $_GET array will be used to query the database and retrieve info from it.

Is there a recursive way to clean the entire $_GET array without having to go thru one by one element?

Should I use PHP's filter methods or CodeIgniter's?

Any advice will be greatly appreciated! Thanks in advance!

  • Use CI built in functions for XSS. Proper query security is there if you are using Active Record also. So since you are using CI, try getting advance of many useful security features. – mallix Jan 26 '13 at 14:51
  • Indeed I'm using Active Record's $this->db->query('...some SQL...'), where "...some SQL..." consists of the $_GET data I pieced together. Is that enough security by itself? –  Jan 26 '13 at 14:56
  • 1
    Use also XSS clean methods from CI before passing that $_GET value to the query: http://ellislab.com/codeigniter/user-guide/libraries/security.html . You can set this security to run automatically and clean the code or per get like: $var = $this->input->get('someKey', TRUE); <-- Cross Site Scripting Hack prevention – mallix Jan 26 '13 at 15:01
  • 1
    @HoneyBadger If you're passing in SQL like that, it can't be automatically escaped. However, if you use methods like `$this->db->where('id', $id);` then the value of `$id` will be escaped automatically. Of course, this doesn't cover all use cases so if you're constructing queries manually, use `$this->db->escape($_GET['foo'])` for each query parameter you want to use. – Michael Mior Jan 26 '13 at 15:03

2 Answers2

4

Codeigniter disables $_GET by default. Using the URI class you can simulate $_GET variables:

GET parameters in the URL with CodeIgniter

You can hack around it and use $_GET, which it sounds like you've done. But I wouldn't recommend that. You should use CodeIgniter's Input class. That provides XSS filtering and you can clean the entire $_GET array by running:

$this->input->get(NULL, TRUE); // returns all GET items with XSS filter

If you use Codeigniter's database utility class to run your queries, it has an escape function built in. Look at the Escaping Queries section.

http://ellislab.com/codeigniter/user-guide/database/queries.html

Community
  • 1
  • 1
Jeff
  • 2,293
  • 4
  • 26
  • 43
  • Ok, this is my solution: Obtain a cleaned version of the $_GET array by doing: $foo_array = $CI->input->get(NULL, TRUE); Then use the cleaned array throughout the helper function. Thanks to all for your feedback! –  Jan 27 '13 at 02:29
2

You can use $this->db->escape($variable) to escape values in queries. It is strongly recommended to use CI's input class though.

Read more at : http://ellislab.com/codeigniter/user-guide/database/queries.html

Jaspal Singh
  • 1,210
  • 1
  • 12
  • 17