Hello,
This is my first app with CI and I want to know whether $_POST is clean and can I directly insert the data into db?
I have enabled $config['global_xss_filtering'] = TRUE;
Thank You.
views:
329answers:
4
+1
A:
No, because SQL is made up of pretty standard alpha numeric characters (the documentation). You should at the very least type your data and use php's mysql_real_escape_string() (the documentation).
This prevents SQL injection, whereas XSS filtering does not.
Elizabeth Buckwalter
2010-03-26 17:48:48
+4
A:
No, but $this->input->post is:
Filters the POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters.
I am not sure however, what those 'few other characters' are.
Also, if you are using it, the ActiveRecord documentation for codeigniter states the following:
It also allows for safer queries, since the values are escaped automatically by the system.
Daniel
2010-03-26 17:52:54
+1
A:
If you use CodeIgniter's Active Record access to the database, you don't have to worry about escaping values as it takes care of that for you.
kemp
2010-03-26 17:55:05
A:
Short answer: no Long answer: maybe, if you use more secure DB methods
If you use a parametrized function (ex: pgSQL has pg_query_params()) then you don't need to sanitize the data, you only need to sanitize the data if you concat your SQL, which is generally considered subpar coding.
TravisO
2010-03-26 17:55:55