how sanitize input codeigniter 3?
According to the Docs, the input class, does the following:
- Filters the GET/POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters.
- Provides XSS (Cross-site Scripting Hacks) filtering. This can be enabled globally, or upon request.
- and some other processing, but for security, this is enough.
So, this solves the issue of SQL injection and XSS. For most usages, this is enough.
To enable XSS protection, use:
$val = $this->input->post('some_data', TRUE); // last param enables XSS protection.Also, you may want to look into CSRF protection. But that's a bit tricky to enable if you're doing ajax calls.
Before accepting any data into your application, whether it be POST data from a form submission,URIdata,you must follow these step:
- Filter the data.
- Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replacestep one)
- Escape the data before submitting it into your database.CodeIgniter provides the following functions to assist in this process:
XSS Filtering
This filter looks for commonly used techniques to embed maliciousJavaScript into your data
To filter data through the XSS filter use the xss_clean() method: Read More
Validate the data
CodeIgniter has a Form Validation Library that assists you in validating, filtering, and prepping your data
$this->form_validation->set_rules('username', 'Username','trim|required|min_length[5]|max_length[12]');
trimming the fields, checking for length where necessary and making sure that both password fields match. Read more
Escape all data before database insertion
Never insert information into your database without escaping it.
Refer query builder class for more info https://www.codeigniter.com/userguide3/database/query_builder.html
More info
Codeigniter does not make your application secyre see this https://security.stackexchange.com/questions/97845/how-secure-is-codeigniter-3-x
Everything really depends on the developer.frameworks will only provide a structure to build your applications.You will be more secure if you write core php.
Further Links:
How do you use bcrypt for hashing passwords in PHP?
Are PDO prepared statements sufficient to prevent SQL injection?