On the protection of CI XSS attack and SQL injection

XSS filtering

The input class can automatically filter the input data to prevent cross-site scripting attacks. If you want to automatically run the filter every time you encounter POST or COOKIE data, you can set the following parameters in the application/config/config.php configuration file:

$config[' global_xss_filtering 'TRUE;   

Or if the second parameter of the Get and post methods is set to True automatically, the input parameters are XSS-filtered, but XSS filtering is not an effective precaution against SQL injection.

$this->input->post ("UserName", TRUE);

Anti-SQL injection

The main principle of anti-SQL injection is to filter the special characters (', \,%,_ ....) in the fields in the judging condition (where or like). And so on), with the escape character in front of the special field, so that the database can execute SQL properly, and databaseerror problems will not occur.

1. Array of numeric types can be filtered by judging whether it is a number and a number of digits, to avoid encountering problems with the database

2, if it is a pure string does not require special characters to plug in the library, you can judge if there are special characters, do not continue to execute, to avoid the problem encountered in the database

3, if executed to the database here, you need to determine the conditions of the field to filter escape

Here's how the CI framework relays:

1, the direct use of CI ar (Active Record) database curd way to deal with

(1), insert: $this->db->insert ("TableName", $insertArray);

(2), delete: $this->db->where ("id", $id)->delete ("TableName");

(3), Update: $this->db->where ("id", $id)->update ("TableName", $updateArray);

(4), query: $this->db->where ("id", $id)->select ("Id,name,age")->get ("TableName");

* Here's a detail that needs to get a bit, where it writes the SQL custom string (4th below), such as WHERE ("id = ' {$id} '"), where this piece is not an AR class operation, in other words, does not automatically filter escape

* The following 4 ways, the custom string method, although not the AR class notation, does not support automatic filtering escape, but can support the writing of the or in the where, relatively flexible, if you encounter or situation, you need to first escape the field of judgment before that

Come here, whether it is in CI's own way (see the bottom of the escape query), or your own sealed demo function can be

1. A simple way to Key/value:

   $this, DB, where(' name '$name//Produces:where name = ' Joe '   

   Note that you are automatically added an equal sign.

   If you call this method multiple times, then multiple WHERE conditions will be concatenated with and:

     $this ->db->where  ( $name ->db->where ( ' title '  $title ); ->db->where ( ' status '  $status );                          

3. Custom Key/value Mode:

   To control the comparison, you can include a comparison operator in the first parameter:

   $this, DB, where(' name! = '$name);  $this, DB, where(' ID < '$id//produces:where name! = ' Joe ' and ID <                 $

4. Associative array mode:

   Array($name$title$status);  where($array) , DB, $this Produces:where name = ' Joe ' and title = ' Boss ' and status = ' active '
                           

   You can also include your own comparison operators in this method:

     $array = array ( ' name! = ') Span class= "o" >=>  $name  ' ID < ' =>  $id  ' date > ' =>  $date );  $this ->db->where  ( $array          

6. Custom string:

   You can write the WHERE clause entirely by hand:

   "Name= ' Joe ' and status= ' boss ' OR status= ' active ';  where($where)     , db  , $this 

Escape query

It's a good idea to make sure that you're escaping the data before you submit it to your database. CodeIgniter has three ways to help you do this:

2. $this->db->escape () This function detects the data type and only escapes data of the string type. It automatically encloses your data in single quotes, you don't have to add it manually:

     $sql =  "INSERT into table ( title) VALUES (".->db->escape Span Class= "NV" > $title ) . ")"               

4. $this->db->escape_str () This function ignores data types and escapes incoming data, a method that is not commonly used, and is typically used in the above method. The use code for the method is as follows:

   INSERT into table VALUES (' ".  escape_str, DB, $this($title). "')" ;

6. $this->db->escape_like_str () This function is used to process strings in the like statement.

   In this way, the like wildcard ('% ', ' _ ') can be escaped correctly.

' 20% raise '; escape_like_str($search), $this, DB. % ' ESCAPE '! ' " ;

* Escape here is a little need to get under,$this->db->escape () after using this function, the variable will automatically add a single quotation mark on both sides, and will also be automatically filtered inside

* For example, the ABC will be changed to ' ABC ', it will also turn a ' BC into ' a\ ' BC, so when writing into the where SQL custom string, do not add single quotes, then there will be two single quotes outside the variable (' abc ')

On the protection of CI XSS attack and SQL injection