Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
815 views
in Technique[技术] by (71.8m points)

php - Codeigniter - best practice to sanitize input

I would like to know what's the best practice to sanitize user input using Codeigniter.

I understands that CI offers form_validation, such as set_rules.

'set_rules'=>'trim|xss_clean|alpha_numeric|htmlspecialchars'

"Any native PHP function that accepts one parameter can be used as a rule, like htmlspecialchars, trim, MD5, etc."

My question now is,

is this enough to protect us from xss, sql injection attacks etc?

what other rules are there that I can apply?

in term of performance, is it costly for us to apply all these rules for all the inputs?

I understand MD5 is a hash funciton, but what happens if you set MD5 as part of the rule?

above that I've added javascript validation as well. Am I on the right track on sanitizing inputs and validating user inputs? Please advice.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Sanitizing is more that just running your input through all sorts of filters.

Sanitizing your input is about not polluting your application with user data you don't want.
The big question, though, what is it you don't want?

First example

You've made a page, allowing a user to send a text message. Your expected input would be a phone number and a text message.
Looking at the Rule reference in the manual, I would probably go for these rules:

numeric|exact_length[8]

These rules as I would like to make sure that the input is nummeric and that the input matches the length of phonenumbers in my region. Since I already validate that the input is nummeric, I can assume that XSS and SQL injection attempts should fail (as these attacks contain non-nummeric characters).

For the text message field, I would use trim and required: trim|required as I don't wan't an empty message sent.

Second example

Allowing users to comment, is a good way to allow users to spam your site or inject malicious code.

Basically, what you wan't is a name, an email and the comment.

All input needs to be required. The e-mail needs to validate. But the comment and name needs to have some cleaning of XSS and overhead spaces/line feeds.

My validation with sanitazion would look like this:

$this->form_validation->set_rules('name', 'Name', 'required|trim|xss_clean');
$this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');
$this->form_validation->set_rules('comment', 'Comment', 'required|trim|xss_clean');

Sanitize what you must - not what you can - and do the sanitaziton for what you need.
Make sure, when you insert the data to your backend to use the Active Record/Query Builder for escaping your input correctly or that your are using Query Bindings which does the same for you.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...