I am writing a search function that enables users to search a particular table on my database. My website runs on CodeIgniter.
For the search function, I use $_GET instead of the CodeIgniter $this->input-get() since I had trouble using the latter within a helper function.
Now, here’s a security question:
What is the best way to sanitize and filter malicious characters in the $_GET array in order to prevent XSS and SQL injection?
Bearing in mind that data in the $_GET array will be used to query the database and retrieve info from it.
Is there a recursive way to clean the entire $_GET array without having to go thru one by one element?
Should I use PHP’s filter methods or CodeIgniter’s?
Any advice will be greatly appreciated!
Thanks in advance!
Codeigniter disables $_GET by default. Using the URI class you can simulate $_GET variables:
GET parameters in the URL with CodeIgniter
You can hack around it and use $_GET, which it sounds like you’ve done. But I wouldn’t recommend that. You should use CodeIgniter’s Input class. That provides XSS filtering and you can clean the entire $_GET array by running:
If you use Codeigniter’s database utility class to run your queries, it has an escape function built in. Look at the Escaping Queries section.
http://ellislab.com/codeigniter/user-guide/database/queries.html