Getting comments safely into a DB with JQuery and CodeIgniter?

Question

So I have a comments script I've written in Codeigniter that uses PHP and Jquery.

Basically, a user writes a comment and then hits submit. I then use AJAX to call a server side script to check, validate and insert the comment.

At the JQuery end I am escaping using the encodeURIComponent

$.ajax({
    url : 'http://domain.com/ajax/post_comment',
    type : 'post',
    data : encodeURIComponent( $(this).val() ),
    success : function(data){
                //more code here
            }
});

At the PHP end, as I say I'm using CodeIgniter, so I am escaping the comments using the Binding provided by CodeIgniter like below

$sql = "INSERT INTO video_comments VALUES(NULL, ?);
$this->db->query($sql,array($comment));

This works pretty well and can escape and insert

!"£$%^&*()_+=-}{~@:?></.,#;][¬`|

Now the problem is that, it cannot insert '(single quote) or \(backslash)? I guess because it's not escaping them properly?

One clue might be that it does allow me to insert \' which I guess escapes the single quote? But I would have thought CodeIgniters binding would take care of that at least?

Any ideas?

If you `var_dump($comment)` after you get the value from the AJAX post, before sending it to the DB, you will find out *where* the issue is. Have you tried inserting a string manually to make sure it's escaped? Why are you using `encodeURIComponent`? — Wesley Murch, Dec 22 '11 at 17:50

Muhammad Usman · Answer 1 · 2011-12-23T08:11:55.340

4

Update: according to the discussion below query bindings makes the query safe by itself so there is no need to use escape functions separately.

IMHO, the best and secure way is to use CodeIgniter Active Record Class for your queries, if you are not too much (again too much) worried about performance. IMO, there is just slight performance improvement if you disable Active Record but there are lots of benefits if you enable and use.

http://codeigniter.com/user_guide/database/active_record.html

edited Dec 23 '11 at 08:11

answered Dec 22 '11 at 18:00

Muhammad Usman

12,439
6
36
59

As much as this is a correct answer. Personally I feel the active records don't give you enough flexibility – Sean H Jenkins Dec 22 '11 at 18:19
I agree that Active Record is great, but how is AR "more secure" than using query bindings/placeholders? – Wesley Murch Dec 22 '11 at 19:52
@SeanHJenkins Where Active Record doesn't work, like sub queries, then you can use plain queries if needed, with proper sanitizing, but in the case above active record is a good way, I think. – Muhammad Usman Dec 22 '11 at 19:53

score 1 · Accepted Answer · edited May 23 '17 at 10:08

1

First, don't use encodeURIComponent. That's not the intended use of it at all. Edit: Here's a link discussing what that call is actually for: When are you supposed to use escape instead of encodeURI / encodeURIComponent?

Second, I don't see where you are escaping in the PHP code. CodeIgniter has built in escape functions, like escape_str:

$sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";

More info here: http://codeigniter.com/user_guide/database/queries.html

edited May 23 '17 at 10:08

Community

1
1

answered Dec 22 '11 at 18:03

Eric Brandel

860
7
9

Ok this works but it adds slashes, which I wanted to avoid. Can I avoid this? Or how do I output an escaped character like `\'` to look like `'` – Sean H Jenkins Dec 22 '11 at 18:09
Doesn't matter I guess I use `stripslashes` . Thanks for the answer – Sean H Jenkins Dec 22 '11 at 18:14
2

@EricBrandel query binding already escapes. It's written just in the page you linked, a few lines beyond the escape_str() method. – Damien Pirsy Dec 22 '11 at 19:46

Getting comments safely into a DB with JQuery and CodeIgniter?

2 Answers2