问题
i have written a function for insertion into my database. i have a small doubt .
Is my below code provides good security to escape my data before submitting it into my database?
Please suggest me some solution for this if the below code does not provide good way of insetion of data into db views.php
<? echo form_open('Setups/subject'); ?>
<? echo '<div id="level">'. $subjectname.' : '.form_input($fsubjectname); ?>
<? echo form_submit($submitbtn);
echo form_reset($resetbtn);
echo '</fieldset>'; ?>
<? echo form_close(); ?>
controller.php
class Setups extends CI_Controller {
function subject(){
$this->load->helper('form');
$this->load->model('Setupsmodel');
if($this->input->post('subsubmit')){
$this->Setupsmodel->entry_insert();
}
$data=$this->Setupsmodel->subjectsetup();
$this->load->view('admin/setups/subject_setups',$data);
}
}
model.php
class Setupsmodel extends CI_Model {
function __construct()
{
// Call the Model constructor
parent::__construct();
}
function subjectsetup()
{
$data['subjectname']='Enter Subject Name';
$data['fsubjectname']=
array('name'=>'subject_name','class'=>'input','size'=>30,'id'=>'txtsubject');
$data['formtopic']='Subject Details Form';
$data['submitbtn'] = array(
'name' => 'subsubmit',
'class' => 'button',
'value' => 'Submit',
'type' => 'submit',
'content' => 'Submit'
);
$data['resetbtn'] = array(
'name' => 'button',
'class' => 'rsetbutton',
'value' => 'Reset',
'type' => 'reset',
'content' => 'Reset'
);
return $data;
}
//--------------Insertion of new record in the table subjectdetails into the db------------
function entry_insert(){
$this->load->database();
$data=array(
'subject_name'=>$this->input->post('subject_name'));
$this->db->insert('subjectdetails',$data);
}
}
回答1:
You are not filtering your user input, so it's risky. Anyways, CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since you may not need it in all cases. To filter data through the XSS filter you can use following method from security class
$data = $this->security->xss_clean($data);
If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this
$config['global_xss_filtering'] = TRUE;
If you use the form validation class, it gives you the option of XSS filtering as well, using set_rules method of form validation class.
$this->form_validation->set_rules('input_name', 'input label', 'xss_clean');
So in this case, you can use in your controller
$this->form_validation->set_rules('subject_name', 'Subject Name', 'xss_clean|required');
if($this->form_validation->run())
{
$this->Setupsmodel->entry_insert();
}
There xss_clean rule will filter the input and required rule will check whether the input is empty or not, so if validation is successful then your insert method will work.
来源:https://stackoverflow.com/questions/14301521/what-is-the-best-security-practice-to-escape-my-data-before-submitting-it-into-m