i have been using codeigniter from some time i just now found an possibility of sql - injection in my script
When user enter
in my input field
$this->security->xss_clean($field) remove the scipts but it does not take care of single quotes of the string.
because of that i am getting query error as
Error Number: 37000
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'hi'.
SELECT * FROM account WHERE field1 = '[removed]alert('hi') [removed]' AND field2 = 'asdasd'
Line Number: 331
this is for typical xss string but when the user add
1' or '1'='1
no error is being generated and query runs successfully .
i know this can be solved by
how can i solve this using codeigniter?
is there any global filter for this problem like (
$config['global_xss_filtering'] = TRUE;)so that i don't have to add str_replace at all the input functions.
is there any way to generate log every time data has been clead with xss filtering?