CODEWITHSUNDEEP
phpcodeigniter
EducateYourself
EducateYourself

Reputation: 979

codeigniter posting values in secure way

I passed id with AJAX POST method to my Codeigniter Controller:

I have set $config['global_xss_filtering'] = TRUE; in my config file.

$id = $this->input->post('id');
$this->model_a->did($id);

I would like to know if the code above is enough secure or I should add something like this:

if ($this->input->post('id') && !empty($_POST['id'])) {

$id = $this->input->post('id');

if (is_int($id)) {
 $this->model_a->did($id);

  }
}

Or maybe I should add something else? Could you please help me to find most secure way.

Update:

and is the below mentioned code enough secure for the value submitted via html form? 

 $this->form_validation->set_rules('username', 'Username', 'required|trim');

if ($this->form_validation->run()) {

    $username = $this->input->post('username');
}

Should I add if ($this->input->post('username') && !empty($_POST['username'])) or something else?

Upvotes: 1

Views: 560

Answers (1)

Rajinder Chandel
Rajinder Chandel

Reputation: 264

global_xss_filtering is only escape (or convert) certain "dangerous" html tags.

As id always will be an integer, it will be more secure to also use checks / validation you mentioned

if($this->input->post('id') && !empty($_POST['id']))
{

 $id = $this->input->post('id');
 if(is_int($id)) 
  {
     $this->model_a->did($id);
  }

}

OR

if ($this->input->post('id') && !empty($_POST['id'])) 
{
  $id = (int)$this->input->post('id');
  $this->model_a->did($id);

}

Regarding Updated Part of question-

As you are using codeigniter form validation, I think there is no need to use extra checks/validation. You can use this something like as give below -

$this->form_validation->set_rules('username', 'Username', 'required|trim');




 if ($this->input->server('REQUEST_METHOD') === 'POST') //To determine if a form has been submitted
{
   if ($this->form_validation->run()) {

    $username = $this->input->post('username');
    //other fields will go here
 }


 }

OR

if ($_POST) //To determine if a form has been submitted
{
  if ($this->form_validation->run()) {

    $username = $this->input->post('username');
    //other fields will go here
   }
}

Upvotes: 1

Related Questions