i have been using codeigniter from some time i just now found an possibility of sql - injection in my script
When user enter
<script>alert('hi') </script>
in my input field $this->security->xss_clean($field)
remove the scipts but it does not take care of single quotes of the string.
because of that i am getting query error as
Error Number: 37000
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'hi'.
SELECT * FROM account WHERE field1 = '[removed]alert('hi') [removed]' AND field2 = 'asdasd'
Filename: D:\htdocs\system\database\DB_driver.php
Line Number: 331
this is for typical xss string but when the user add 1' or '1'='1
no error is being generated and query runs successfully .
i know this can be solved by str_replace("'","",$field);
.
how can i solve this using codeigniter?
is there any global filter for this problem like ($config['global_xss_filtering'] = TRUE;
)so that i don't have to add str_replace at all the input functions.
is there any way to generate log every time data has been clead with xss filtering?