Saturday, January 29, 2022

[FIXED] How does Codeigniter handle escaping output?

      ,      No comments   

Issue

I am using CodeIgniter.

Recently, I read a PHP book and saw some functions to escape output to server to database using 

*_escape_string()

and from server to browser using:

htmlentities()
htmlspecialchars()

In my Codeigniter application, how are these functions handled? Is it internally handled by the framework, or do I have to manually handle it?

In Ccodeigniter form validation I have seen xss_clean

$this->form_validation->set_rules('password', 'Password', 'required|xss_clean|min_length[6]|matches[confirmpassword]' );

Is xss_clean for preventing cross site scripting, or does it deal with the above I have mentioned?


Solution

If you're using the Active Record class, you generally don't need to escape anything you send to your database - it's done automatically:

http://codeigniter.com/user_guide/database/active_record.html

"It also allows for safer queries, since the values are escaped automatically by the system."

Manual escaping seems to be becoming a thing of the past, as most people are using PDO now for database interactions, using paramterized queries with placeholders instead of mashing SQL strings together. CI still uses the mysql_* functions internally though.

CI's xss_clean() is, in my opinion, more of a failsafe for those of us who don't know how and when to escape data properly. You normally don't need it. It's been the target of criticism both for it's slow, aggressive approach to sanitizing data, as well as for just "not being good enough".

For escaping HTML output, in most cases htmlspecialchars() is all you need, but you can use the xss_clean() function any time. I don't suggest using it as a form validation rule because it will corrupt your input, inserting [removed] wherever it found something "naughty" in the original string. Instead, you can just call it manually to clean your output.

Summary:

  • Database: CI will (usually) escape the strings you pass to the Active Record class.
    See the user guide for details: http://codeigniter.com/user_guide/database/queries.html

  • HTML output: You need to escape HTML output yourself with htmlspecialchars() or use CI's html_escape() function (as of 2.1.0). This is not done automatically because there's no way to know the context in which you are using the data.

  • xss_clean() - If you know what you're doing, you shouldn't need it. Better to use on output than input.



Answered By - Wesley Murch

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...