duanmei4362 2015-03-16 23:33
浏览 78
已采纳

xss过滤不删除codeigniter中的单引号

i have been using codeigniter from some time i just now found an possibility of sql - injection in my script

When user enter

<script>alert('hi') </script> 

in my input field $this->security->xss_clean($field) remove the scipts but it does not take care of single quotes of the string. because of that i am getting query error as

Error Number: 37000

[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'hi'.

SELECT * FROM account WHERE field1 = '[removed]alert('hi') [removed]' AND field2 = 'asdasd'

Filename: D:\htdocs\system\database\DB_driver.php

Line Number: 331

this is for typical xss string but when the user add 1' or '1'='1

no error is being generated and query runs successfully .

i know this can be solved by str_replace("'","",$field);.

how can i solve this using codeigniter?

is there any global filter for this problem like ($config['global_xss_filtering'] = TRUE;)so that i don't have to add str_replace at all the input functions.

is there any way to generate log every time data has been clead with xss filtering?

  • 写回答

3条回答 默认 最新

  • duanjiao1256 2015-03-17 00:18
    关注

    You try to protect yourself against SQL injection by calling xss_clean. xss_clean will protect you against xss injections, but will not prevent sql injections. Let me break it down to you:

    SQL injection: Malicious user input, which tries to hack your database on server side. User input will contain SQL code.

    XSS injection: Malicious user input, which tries to hack (spy in most cases) for other users. User input will contain Javascript code.

    You need to protect yourself against both, but you should understand the difference.

    Read this for SQL injection prevention in codeigniter. You can also use prepared statements, or flourishlib. As about protection against XSS, you can use xss_clean, or you can even write simple code in plain PHP:

    public static function protectArrayAgainstXSS(&$arr) {
        foreach ($arr as $index => $a) {
            if (is_array($a)) {
                App::protectArrayAgainstXSS($arr[$index]);
            } else if ($a !== null) {
                $arr[$index] = strip_tags($a);
            }
        }
    }
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥30 基于信创PC发布的QT应用如何跨用户启动后输入中文
  • ¥20 非root手机,如何精准控制手机流量消耗的大小,如20M
  • ¥15 远程安装一下vasp
  • ¥15 自己做的代码上传图片时,报错
  • ¥15 Lingo线性规划模型怎么搭建
  • ¥15 关于#python#的问题,请各位专家解答!区间型正向化
  • ¥15 unity从3D升级到urp管线,打包ab包后,材质全部变紫色
  • ¥50 comsol温度场仿真无法模拟微米级激光光斑
  • ¥15 上传图片时提交的存储类型
  • ¥15 VB.NET如何绘制倾斜的椭圆