Home/ Questions/Q 1091759
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T23:34:50+00:00

Some doubts regarding Codeigniter and its Input handling capabilities. Some may be a little

  • 0

Some doubts regarding Codeigniter and its Input handling capabilities. Some may be a little weird but they are doubts none-the-less.

  1. If I use the Active Record Class functions in CodeIgniter, is my input prevented against SQL injection?
  2. I read somewhere that it does, but I don’t understand it how? or why?
  3. Also does xssclean deal with SQL injection in any way?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    is my input prevented against SQL injection?

    Not exactly ‘automatically’, but it does provide parameterised queries. CodeIgniter or no, you should use parameterised queries in preference to query string hacking whenever possible.

    $bof= "a'b";
$zot= 'a\b';

// Insecure! Don't do this!
//
$this->db->query("SELECT foo FROM bar WHERE bof='$bof' AND zot='$zot'"); 

// Secure but annoying to write
//
$this->db->query("SELECT foo FROM bar WHERE bof='".$this->db->escape($bof)."' AND zot='".$this->db->escape($zot)."'"); 

// This is what you want
//
$this->db->query('SELECT foo FROM bar WHERE bof=? AND zot=?', array($bof, $zot));

    Note this is nothing to do with ‘input’: when you make an SQL query from strings you must use parameterisation or escaping to make them fit, regardless of whether they’re user input or not. This is a matter of simple correctness; security is a side-effect of that correctness.

    Similarly when you output text into HTML, you need to HTML-encode <, & and " characters in it then. It is absolutely no use trying to fiddle with the input to escape or remove characters that might be troublesome in the future if you happen to use them without escaping in SQL or HTML. You’ll mangle your output by having unexpected SQL-escaping in HTML (which is why you see self-multiplying backslashes in badly-written apps) and unwanted HTML-escaping in SQL. And should you take text from somewhere other than that direct user input (say, material already in the database) you aren’t protected at all.

    Also does xssclean deal with SQL injection in any way?

    No. It’s aimed at HTML injection. But it’s worse than worthless. Never use it.

    “XSS filtering” is completely bogus (again, CodeIgniter’s or anyone else’s). XSS needs to be prevented by correctly HTML-escaping output, not mangling input. XSS filtering will not adequately protect you if your application is not already secure; at best it will obfuscate your existing flaws and give you a false sense of security. It will also mangle a lot of valid input that CI thinks looks like tags.

    • 0