I've been using the codeigniter for some time now, I've got the possibility of SQL-injection in my script.
When Users Enter
In my input field, enter $ this-> Security-> Xss_clean ($ field) Remove the system but it does not take care of its single quotes string. Because I'm getting a query error
Error number: 37000
[Microsoft] [ODBC SQL Server Driver] [SQL Server] 'hi' has the wrong syntax
Select account where field 1 = '[deleted] warning (' high ') [deleted]' and field 2 = 'ADASD'
file name: D: \ HTOX \ System \ database \ DB_driver.php
line number: 331
This is for specific xss string, but when the user has 1 'or' 1 ' = 1
No errors have been generated and the query runs successfully.
I know that this can be solved by str_replace ("", "", $ field); .
How can I solve it using codification?
There is a global filter for this problem (such as $ config ['global_xss_filtering'] = TRUE; ) so that I have to add str_replace to all input functions. .
Is all the data being cleaned with XSC filtering?
Try to save yourself from SQL injection by calling xss_clean . xss_clean will save you from XSS injections, but SQL injection will not be stopped. Let me break it down to you:
SQL injection: The malicious user input, which tries to hack your database on the server side, will include the SQL code in the user input.
XSS Injection: The malicious user input, which tries to hack for other users (in most cases spy) user input will include the javascript code.
You need to protect yourself against both, but you should understand the difference.
Read the codeigner to prevent SQL injection. You can also use the prepared statement or about protection against XSS, you can use xss_clean , or you can also write simple code in plain pp:
No comments:
Post a Comment