I am using codeigniter, and at the moment I am making full body search, and I am wondering what is the best practice to do this. For now I have this:
$keyword = $this->db->escape_like_str(trim($_POST['keyword']));
After that, search is performed. Is this safe or I need to do something more (XSS Filtering is on)?
Because you are accessing the _POST variable directly, you're bypassing all CI's XSS/Escaping and security features. You should be getting that as:
$this->input->post('keyword');
This is automatically escaped by CI, and you can perform other validations before just throwing it at the DB. Also if you use active record , then all values are automatically escaped as required too.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.