-1

can anyone know how to preventing user input, on codeigniter if i use insert_batch? sorry bad english code like this

$data[] = array(
                    'id_invoice'    =>  $this->input->post('id_invoice'),
                    'id_product'    =>  $key['id_product'],
                    'id_fabrics'    =>  $key['id_fabric'],
                    'id_option'     =>  $id_option,
                    'name'          =>  $key['name'],
                    'number'        =>  $key['number'],
                    'id_size'       =>  $key['size'],
                    'comment'       =>  $key['comment']);

and use insert batch like this

$this->orders->insert_order_mix($data);
Muhamad Riyan
  • 45
  • 1
  • 7
  • 1
    use second param `true` in `$this->input->post('id_invoice', true),` to prevent injection. – Gaurav Apr 10 '17 at 04:55

3 Answers3

0

I think you are confused with the concept of Batch Insert. Please READ THIS to get a good understanding of Batch Insert. Now for your issue, it's very good to be concerned about security these days as said

Always filter input and escape output, Never trust data.

You can Use Codeigniter Security Class to secure your data.

E.g

$data=$this->security->xss_clean($this->input->post());

OR

$postData=$this->input->post();
$data=$this->security->xss_clean($postData);

Furthermore you can avoid Cross Site Request Forgery by using CSRF token in your Forms

Community
  • 1
  • 1
Mudassar Khani
  • 1,469
  • 1
  • 20
  • 39
0

Thanks for your answer, i am not sure about your answer because i am using ajax to get data, and data is on array format, and this is my code to process on controller

if (!$this->input->is_ajax_request()) {
        exit('No direct script access allowed');
    } else {
        $input = $this->input->post('ar_dat');
        $option = $this->input->post('list_option');
        if ($option == null){
            $id_option = '';
        } else {
            $id_option = implode(',',$option);
        }
        foreach ($input as $key) {
            $data[] = array(
                'id_invoice'    =>  $this->input->post('id_invoice'),
                'id_product'    =>  $this->input->post('id_product'),
                'id_fabrics'    =>  $this->input->post('id_fabric'),
                'id_option'     =>  $id_option,
                'name'          =>  $key['name'],
                'number'        =>  $key['number'],
                'id_size'       =>  $key['size'],
                'comment'       =>  $key['comment']);
        }
        $this->orders->insert_order_uniform($data);
    }
Muhamad Riyan
  • 45
  • 1
  • 7
0

So Simple You can remove abuse tags and data from user input

//Change This

$this->orders->insert_order_mix($data);

// to 

$data = $this->security->xss_clean($data); // You have to clean Data with XSS Filtering
$this->orders->insert_order_mix($data);

This method Clean your all abuse data with [removed] keyword

if user can input any script then XSS filtering remove as per below

$name = '<script>Your Name</script>';
echo $name; // Output : <script>Your Name</script>

// But you use XSS then output is change as per below

$name = '<script>Your Name</script>';
$name = $this->security->xss_clean($name);
echo $name; // Output : [removed]Your Name[removed]

Or You can use very simple with edit your config file

// Change global_xss_filtering value FALSE to TRUE;
/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = TRUE;
ImBhavin95
  • 1,494
  • 2
  • 16
  • 29