Codeigniter - best practice to sanitize input

vincent picture vincent · Feb 7, 2013 · Viewed 11.8k times · Source

I would like to know what's the best practice to sanitize user input using Codeigniter.

I understands that CI offers form_validation, such as set_rules.

'set_rules'=>'trim|xss_clean|alpha_numeric|htmlspecialchars'

"Any native PHP function that accepts one parameter can be used as a rule, like htmlspecialchars, trim, MD5, etc."

My question now is,

is this enough to protect us from xss, sql injection attacks etc?

what other rules are there that I can apply?

in term of performance, is it costly for us to apply all these rules for all the inputs?

I understand MD5 is a hash funciton, but what happens if you set MD5 as part of the rule?

above that I've added javascript validation as well. Am I on the right track on sanitizing inputs and validating user inputs? Please advice.

Answer

Repox picture Repox · Feb 7, 2013

Sanitizing is more that just running your input through all sorts of filters.

Sanitizing your input is about not polluting your application with user data you don't want.
The big question, though, what is it you don't want?

First example

You've made a page, allowing a user to send a text message. Your expected input would be a phone number and a text message.
Looking at the Rule reference in the manual, I would probably go for these rules:

numeric|exact_length[8]

These rules as I would like to make sure that the input is nummeric and that the input matches the length of phonenumbers in my region. Since I already validate that the input is nummeric, I can assume that XSS and SQL injection attempts should fail (as these attacks contain non-nummeric characters).

For the text message field, I would use trim and required: trim|required as I don't wan't an empty message sent.

Second example

Allowing users to comment, is a good way to allow users to spam your site or inject malicious code.

Basically, what you wan't is a name, an email and the comment.

All input needs to be required. The e-mail needs to validate. But the comment and name needs to have some cleaning of XSS and overhead spaces/line feeds.

My validation with sanitazion would look like this:

$this->form_validation->set_rules('name', 'Name', 'required|trim|xss_clean');
$this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');
$this->form_validation->set_rules('comment', 'Comment', 'required|trim|xss_clean');

Sanitize what you must - not what you can - and do the sanitaziton for what you need.
Make sure, when you insert the data to your backend to use the Active Record/Query Builder for escaping your input correctly or that your are using Query Bindings which does the same for you.