CodeIgniter: Two action to prevent SQL Injection

In my previous post, I did explain to you about how to prevent XSS injection for your CodeIgniter Apps. And yet, for those who are novelty in web programming, I tell you the another kind of security hole in web programming which can be fatal because It can exposes your inner side of application’s database, it is SQL Injection.

Read More

CodeIgniter: Apply XSS filter as mandatory

If you are kind of novelty in web programming, and you have no idea what the XSS is, now I tell you what it is : “It is one kind of web application security hole that make use of unsanitized input so the intruder can input some Javascript/HTML in it”. And is it big deal? Yes, of course, because if they can do that, The malicious user input will be interpreted as real Javascript/HTML tag and therefore it will be processed/executed when it is printed.

Thankfully, CodeIgniter as one of PHP Application Framework which still gaining user base has a capability to deal with it. It has a XSS filtering mechanism which could be implemented to sanitized user input from GET/POST/Cookie data. If you want to use that, you just need to open CodeIgniter configuration file /application/config/config.php and edit this line :

$config['global_xss_filtering'] = TRUE;  # It is FALSE by default

And now if some adversary do inputting something like <script>alert(0);</script> inside of one of your application’s input, It will converted to be [removed]alert(0);[removed] so that it won’t be interpreted as a Javascript.

But remember, stick with using $this->input->post("variable") or $this->input->get("variable") when you are dealing with user input. Forget about that thing you learnt in first-time PHP class ($_POST[] or $_GET[]).