1

Since codeignter 3 the xss_clean() function is deprecated on user input, and should only be used for output. I have looked at the docs and can't find what I should use to clean my input properly. I'm using form validation and XSRF protection on my form but is this enough?

How do I properly clean user input with codeigniter? I am using their query builder to talk to the database, so the input does get prepared.

Jordy
  • 948
  • 2
  • 9
  • 28
  • 1
    XSS is not fixed with input filtering, but output escaping. If anything you should *log* probable attempts, not silently clean them. See also: [What are the best PHP input sanitizing functions?](http://stackoverflow.com/q/3126072) – mario Jul 01 '15 at 12:55
  • @mario thanks for your reaction, that's definatly a great thread. It basicly comes down that I will need to filter the input with the `filter_input()` functions and will have to apply `htmlspecialchars()` when outputtig the user input data. – Jordy Jul 01 '15 at 13:03
  • Use `TRUE` as a 2nd parameter for post data. `$this->input->post('username', TRUE)` one of the best data filtering system for CI – Rejoanul Alam Jul 01 '15 at 15:47
  • @RejoanulAlam but that's an XSS filter and should be used when outputting data right. – Jordy Jul 01 '15 at 17:52

1 Answers1

0

The reason for deprecation is that you shouldn't filter user input. Validate it to make sure it's the right type or style, but don't filter input.

If you're concerned about SQL injection due to unfiltered input, you should protect yourself with prepared statement queries.

PaulSkinner
  • 618
  • 2
  • 9
  • 24