xss filtering not removing single quotes in codeigniter

Question

i have been using codeigniter from some time i just now found an possibility of sql - injection in my script

When user enter

<script>alert('hi') </script> 

in my input field $this->security->xss_clean($field) remove the scipts but it does not take care of single quotes of the string. because of that i am getting query error as

Error Number: 37000

[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'hi'.

SELECT * FROM account WHERE field1 = '[removed]alert('hi') [removed]' AND field2 = 'asdasd'

Filename: D:\\htdocs\\system\\database\\DB_driver.php

Line Number: 331

this is for typical xss string but when the user add 1' or '1'='1

no error is being generated and query runs successfully .

i know this can be solved by str_replace("'","",$field); .

how can i solve this using codeigniter?

is there any global filter for this problem like ( $config['global_xss_filtering'] = TRUE; )so that i don't have to add str_replace at all the input functions.

is there any way to generate log every time data has been clead with xss filtering?

Answer 1

You try to protect yourself against SQL injection by calling xss_clean . xss_clean will protect you against xss injections, but will not prevent sql injections. Let me break it down to you:

SQL injection: Malicious user input, which tries to hack your database on server side. User input will contain SQL code.

XSS injection: Malicious user input, which tries to hack (spy in most cases) for other users. User input will contain Javascript code.

You need to protect yourself against both, but you should understand the difference.

Read this for SQL injection prevention in codeigniter. You can also use prepared statements, or flourishlib . As about protection against XSS, you can use xss_clean , or you can even write simple code in plain PHP:

public static function protectArrayAgainstXSS(&$arr) {
    foreach ($arr as $index => $a) {
        if (is_array($a)) {
            App::protectArrayAgainstXSS($arr[$index]);
        } else if ($a !== null) {
            $arr[$index] = strip_tags($a);
        }
    }
}

Answer 2

xss_clean is not good function for using in SQL query at all! XSS and SQL injection are two separated domains. From your description it is something like strip_tags and this is totally useless function for protecting before SQL injection.

https://ellislab.com/codeIgniter/user-guide/database/queries.html

You have to use escape* function or query parameters binding for sanitizing SQL queries. I do not use codeigniter but these concepts are general. Solution with str_replace is not also really good path.

$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?"; 
$this->db->query($sql, array(3, 'live', 'Rick')); // All three values should be escaped properly

Answer 3

if you are on CI 2, make sure you are using most recent version of codeigniter (2.2.1) it had some xss clean & other security improvements.

in terms of the issue you are having updating the database -- just use CI active record. if you use codeigniter active record for the database actions, then codeigniter automatically escapes the queries.

also suggest to take a look at the docs for CI 3, there's more recent info about xss clean and the security class.