duanmei4362 2015-03-16 23:33
浏览 78
已采纳

xss过滤不删除codeigniter中的单引号

i have been using codeigniter from some time i just now found an possibility of sql - injection in my script

When user enter

<script>alert('hi') </script> 

in my input field $this->security->xss_clean($field) remove the scipts but it does not take care of single quotes of the string. because of that i am getting query error as

Error Number: 37000

[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'hi'.

SELECT * FROM account WHERE field1 = '[removed]alert('hi') [removed]' AND field2 = 'asdasd'

Filename: D:\htdocs\system\database\DB_driver.php

Line Number: 331

this is for typical xss string but when the user add 1' or '1'='1

no error is being generated and query runs successfully .

i know this can be solved by str_replace("'","",$field);.

how can i solve this using codeigniter?

is there any global filter for this problem like ($config['global_xss_filtering'] = TRUE;)so that i don't have to add str_replace at all the input functions.

is there any way to generate log every time data has been clead with xss filtering?

  • 写回答

3条回答 默认 最新

  • duanjiao1256 2015-03-17 00:18
    关注

    You try to protect yourself against SQL injection by calling xss_clean. xss_clean will protect you against xss injections, but will not prevent sql injections. Let me break it down to you:

    SQL injection: Malicious user input, which tries to hack your database on server side. User input will contain SQL code.

    XSS injection: Malicious user input, which tries to hack (spy in most cases) for other users. User input will contain Javascript code.

    You need to protect yourself against both, but you should understand the difference.

    Read this for SQL injection prevention in codeigniter. You can also use prepared statements, or flourishlib. As about protection against XSS, you can use xss_clean, or you can even write simple code in plain PHP:

    public static function protectArrayAgainstXSS(&$arr) {
        foreach ($arr as $index => $a) {
            if (is_array($a)) {
                App::protectArrayAgainstXSS($arr[$index]);
            } else if ($a !== null) {
                $arr[$index] = strip_tags($a);
            }
        }
    }
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
  • douyan0732 2015-03-16 23:59
    关注

    xss_clean is not good function for using in SQL query at all! XSS and SQL injection are two separated domains. From your description it is something like strip_tags and this is totally useless function for protecting before SQL injection.

    https://ellislab.com/codeIgniter/user-guide/database/queries.html

    You have to use escape* function or query parameters binding for sanitizing SQL queries. I do not use codeigniter but these concepts are general. Solution with str_replace is not also really good path.

    $sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?"; 
    $this->db->query($sql, array(3, 'live', 'Rick')); // All three values should be escaped properly
    
    评论
  • douqie1816 2015-03-17 00:58
    关注

    if you are on CI 2, make sure you are using most recent version of codeigniter (2.2.1) it had some xss clean & other security improvements.

    in terms of the issue you are having updating the database -- just use CI active record. if you use codeigniter active record for the database actions, then codeigniter automatically escapes the queries.

    also suggest to take a look at the docs for CI 3, there's more recent info about xss clean and the security class.

    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥20 C语言字符串不区分大小写字典排序相关问题
  • ¥15 关于#python#的问题:我希望通过逆向技术爬取1688搜索页下滑加载的数据
  • ¥15 学习C++过程中遇到的问题
  • ¥15 关于Linux的终端里,模拟实现一个带口令保护的屏保程序遇到的输入输出的问题!(语言-c语言)
  • ¥15 学习C++过程中遇到的问题
  • ¥15 请问,这个嵌入式Linux系统怎么分析,crc检验区域在哪
  • ¥15 二分类改为多分类问题
  • ¥15 Unity微信小游戏上调用ReadPixels()方法报错
  • ¥15 如何通过求后验分布求得样本中属于两种物种其中一种的概率?
  • ¥15 q从常量变成sin函数,怎么改写python代码?