duanmei4362 2015-03-16 23:33
浏览 78
已采纳

xss过滤不删除codeigniter中的单引号

i have been using codeigniter from some time i just now found an possibility of sql - injection in my script

When user enter 

<script>alert('hi') </script>

in my input field $this->security->xss_clean($field) remove the scipts but it does not take care of single quotes of the string. because of that i am getting query error as

Error Number: 37000

[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'hi'.

SELECT * FROM account WHERE field1 = '[removed]alert('hi') [removed]' AND field2 = 'asdasd'

Filename: D:\htdocs\system\database\DB_driver.php

Line Number: 331

this is for typical xss string but when the user add 1' or '1'='1

no error is being generated and query runs successfully .

i know this can be solved by str_replace("'","",$field);.

how can i solve this using codeigniter?

is there any global filter for this problem like ($config['global_xss_filtering'] = TRUE;)so that i don't have to add str_replace at all the input functions.

is there any way to generate log every time data has been clead with xss filtering?

  • 写回答

3条回答 默认 最新

  • duanjiao1256 2015-03-17 00:18
    关注

    You try to protect yourself against SQL injection by calling xss_clean. xss_clean will protect you against xss injections, but will not prevent sql injections. Let me break it down to you:

    SQL injection: Malicious user input, which tries to hack your database on server side. User input will contain SQL code.

    XSS injection: Malicious user input, which tries to hack (spy in most cases) for other users. User input will contain Javascript code.

    You need to protect yourself against both, but you should understand the difference.

    Read this for SQL injection prevention in codeigniter. You can also use prepared statements, or flourishlib. As about protection against XSS, you can use xss_clean, or you can even write simple code in plain PHP:

    public static function protectArrayAgainstXSS(&$arr) {
    foreach ($arr as $index => $a) {
        if (is_array($a)) {
            App::protectArrayAgainstXSS($arr[$index]);
        } else if ($a !== null) {
            $arr[$index] = strip_tags($a);
        }
    }
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 高德地图点聚合中Marker的位置无法实时更新
  • ¥15 DIFY API Endpoint 问题。
  • ¥20 sub地址DHCP问题
  • ¥15 delta降尺度计算的一些细节,有偿
  • ¥15 Arduino红外遥控代码有问题
  • ¥15 数值计算离散正交多项式
  • ¥30 数值计算均差系数编程
  • ¥15 redis-full-check比较 两个集群的数据出错
  • ¥15 Matlab编程问题
  • ¥15 训练的多模态特征融合模型准确度很低怎么办