First, I should remind you that I've read this post and a few others about my problem, but the bottom line is that they're pretty much about 3 years ago.

Now I'm using CodeIgniter 3 and I'm wondering what is the best clean filter for my data, I retrieve them from the user before inserting into the database.

This is my website registration, I don't know what kind of user registration, I can't trust them. And it is possible to sanitize all the input before inserting the data into the database is dangerous I don't know if the input class is enough to sanitize it?
Please tell me about codeigniter sanitizing function!

I've read about security classes in the codeigniter documentation, but I want to be sure.

Solution:

According to the Docs, enter the class, do the following:

Filters GET/POST/COOKIE array keys, allowing only alphanumeric (and some other) characters.
Provides XSS (Cross Site Scripting Hacking) filtering. This can be enabled globally or on request.
And some other processing, But to be on the safe side, this is enough.

So this solves the problem of SQL injection and XSS. For most uses, this is enough.

To enable XSS protection use:

$val = $this->input->post('some_data', TRUE); // last param enables XSS protection.

Also, you might want to know about CSRF protection. But if you're doing ajax calls, it's a bit tricky to enable.

Bias: Try starting new projects in real frameworks like Zend, Laravel, etc. By default you have more control over filtering and security.

php - how to sanitize input codeigniter 3? Related posts

  1. php - the correct way to clear the password?

    How to sanitize a string that received a hash random salt?I could remove the spaces, check the length and use mysqli_real_escape_string, but is that enough? filter_var is indeed useful, but not helpful in this case, right?Solution:If you want to put the variable into an SQL query, you need to call m ...

  2. php-How to make the date legal/safe before passing it to strtotime()?

    This is what I have now.$date = mysqli_real_escape_string($dbc, trim(date('Ym-d',strtotime($_POST['date']))));Someone told me that I need to make sure that $date is safe/legal before passing it to strtotime(). How can I do it? I looked up at http://us3.php.net/strtotime, but it really didn't tell me ...

  3. php - user input, sanitize and sanitize

    I've searched a lot of questions here and I found them either very old or suggesting a prepared statement PDO which I don't use. So I need your help.I have a small discussion/chat box where users submit messages using <textarea>.What I need is to sanitize and filter user input so it only accep ...

  4. JavaScript based X/HTML and CSS sanitization

    Before everyone tells me that client-side cleanup shouldn't be done (I do intend to do it on the client-side, although it works in SSJS as well), let me clarify what I'm trying to do.I want something, similar to Google Caja or HTMLPurifier but for JavaScript: a safe whitelist-based approach that han ...

  5. PHP - clean input, but output is not as expected

    Here is one of my forms (PHP MySQL, textarea replaced by TinyMCE). It records descriptions with paragraphs, bullets, headings and text alignment (right, left, center and alignment).After submitting, the record appears asIntroductionThe death of the pixel leaves you with a flowing, magazine-quality c ...

  6. php-use whitelist to sanitize user input

    I have this code to filter the variable named"username"entered by the user:$username_clean = preg_replace("/[^a-zA-Z0-9_]/","", $_POST['username'] );if (!strlen($username_clean)){die("username is blank!");I want to perform the same process on each input on this page, but I have about 12 different in ...

  7. PHP: Does using _GET data require some form of sanitization?

    That is, for regular use in my PHP code. Not like I'm passing to my query or anything.Solution:If you pass them to an SQL query you get SQL injection > If you use them to form filenames you get an arbitrary file read vulnerability > If you output them as-is as part of an HTML page you get XSS ...

  8. How to Design Secure Web Forms: Validate, Sanitize, and Control

    While cybersecurity is often thought of in terms of databases and architecture, much of a strong security posture relies on elements in the domain of the front-end developer. For certain potentially devastating vulnerabilities like SQL injection and Cross-Site Scripting (XSS), a well-considered user ...

  9. PHP function for sanitizing input values

    I use this: function safeClean($n) { $n = trim($n); if(get_magic_quotes_gpc()) { $n = stripslashes($n); } $n = mysql_escape_string($n); $n = htmlentities($n); return $n; } Prevent any kind of MySQL injection or similar things. Whenever I use it to wrap $_POST: $username = safeClean($_P ...

  10. php – FILTER_SANITIZE vs FILTER VALIDATE, what’s the difference – and which ones to use?

    Currently I'm making a calculator-like application in PHP using a form as an input method. To protect the input I'm using the filter_input() function. As a filter, this function selects an element from two groups: FILTER_SANITIZE and FILTER_VALIDATE, and I should Which one to use to filter input fro ...

  11. php-Am I using FILTER_VALIDATE_INT FILTER_SANITIZE_NUMBER_INT correctly?

    Try to verify and then clean up the $_GET request. I just want to see if I am missing something.this is mine……if (isset($_GET['id'])) {$id = filter_input(INPUT_GET,'id', FILTER_VALIDATE_INT); if (!$id) {echo'Error'; exit();} $id = filter_input( INPUT_GET,'id', FILTER_SANITIZE_NUMBER_INT); $getinfo = ...

  12. python - Has the request data been sanitized by Flask?

    Should data from users (like cookie values, variable parts in paths, query parameters) be considered insecure and handled in a specific way? Does Flask already sanitize escaped input data, so it is safe to pass it to the function test(input_data)?Solution:Flask doesn't need to request data other tha ...

  13. php - how to sanitize input codeigniter 3?

    First, I should remind you that I've read this post and a few others about my problem, but the bottom line is that they're pretty much about 3 years ago.Now I'm using CodeIgniter 3 and I'm wondering what is the best clean filter for my data, I retrieve them from the user before inserting into the da ...

  14. php-FILTER_SANITIZE_STRING is stripping <characters and any text after it

    I encountered a weird problem when using FILTER_SANITIZE_STRING on a variable (filled by manual input). It seems to be stripped of the <character and any text after it. The> character remains unchanged.I think it thinks that <is an HTML tag that needs to be stripped, but there is no closing tag after it, so I don't know why this happens. Is there a way to make it leave the <in place, and it should still be sanitized as required?Solution:The fundamental problem is that when you use FI ...

  15. HTML Sanitizer API

    Three cheers for (draft stage) progress on a Sanitizer API! It’s gospel that you can’t trust user input. And indeed, any app I’ve ever worked on has dealt with bad actors trying to slip in and execute nefarious code somewhere it shouldn’t. It’s the web developer’s ...

  16. java – OWASP html sanitizer – why does it cover certain entities?

    I am a new user of Owasp, which is an HTML cleaner, and found that with any strategy I use, it transfers some entities back to characters.For example, this string:@ test!Becomes this:@ test!I want to leave entities"as is"as much as possible. I can even understand whether it escapes them, rather than ...

Recent Posts

  1. java-describe this System.gc() behavior

    In the book"Thinking in Java", the author provides a technique to force object garbage collection. I wrote a similar program to test this (I am on Open JDK 7)://forcing the garbage collector to call the finalize methodclass PrintMessage{ private String message; public PrintMessage (String m) { this....

  2. Commonly used string built-in functions in python

    String built-in functions commonly used in python1. Case relatedcapitalize() #Convert the first character of the string to uppercase representationtitle() #returns the first letter of each word in uppercaseistitle() #Judging whether the first letter of each word is capitalized, and the return result...

  3. The foreach function in PHP-JSON only returns one line

    I'm trying to display more than one line from the JSON response, but somehow it only returns one line each time. The query works well on the server. If I don't use ajax/json to use the code, the code works well. I have a headache about this .What am I doing wrong here? Any help would be greatly appr...

  4. Java Message Queue

    Function: Improve the asynchronous communication of the system and expand the decoupling capability.The system sends a message to the message agent to take over, and the message agent guarantees that the message is delivered to the specified destination.There are two main forms:  1. Queue:...

  5. javascript-How to prevent iframe from loading?

    Hi, I am uploading files via iframe.HTML:Now I want to abort the upload while uploading. So I want to stop the iframe loading.I tried$("iframe").attr("src","javascript:false;");$("IFRAME") delete ().if (typeof(window.frames[0].stop) ==="function") window.frames[0].stop();else window.frames[0].docume...

  6. javascript-How to find the jQuery DropDownCheckList option-jQuery syntax problem

    I am using an ASP.Net webpage, which will use the jQuery dropdown list (http://code.google.com/p/dropdown-check-list/). I am very inexperienced with JavaScript, and it is still brand new to jQuery .What I want to do is to collect the value of the selected item every time the checkbox is checked/unch...

  7. applet

    link to the original text: https://www.cnblogs.com/gavinjay/p/9587906.htmlNotes for Mini Program Development● 1. It is necessary to distinguish whether the business logic of a new page is suitable for requesting data in onload or suitable for requesting data in onshow. ● 2 Various requests of the pa...

  8. teach you how to analyze WeChat chat content with Python

    Before starting, let me briefly explain why I wrote this article?In order to develop new customers, the leader arranged for the company's customer service staff to join many WeChat groups and collect the contact information of target customers in the group.However, the way they collect customer info...

  9. python OrderedDict and Dict

    1. When using OrderedDict, we need to import OrderedDict from the collections module. Dict is a built-in data type of Python, so it can be used directly; Python has other built-in data types, such as str, int, list, tuple, and dict.2. The biggest difference between the dictionary Dict and OrderedDic...

  10. java-Why does Eclipse only suggest "rename in files"?

    If i writesomethingSomething = 2;Where something is not defined, Eclipse only suggests"rename in a file".This only happens in a particular file, and that particular file has a .java extension, just like all other files, in these files Eclipse is not only ready to create things or other things. What ...