为codeigniter - 活动记录容易受到SQL注入? [英] Are Codeigniter - Active Records Vulnerable to SQL Injections?
问题描述
刚刚看完这堆栈溢出因而留给我想知道如果SQL注入有可能通过在CI的活动记录。
Just read this on Stack overflow and thus left me wondering if sql injection is possible through active records in CI.
在大多数的地方在我的项目,用户注册和用户配置文件更新我做SQL插入这样的:
At most of the places in my project , for user registration and user profile update i have done sql insertions like this :
控制器:
$name = $this->input->post('name');
$last_name = $this->input->post('last_name');
$age = $this->input->post('dob');
$user_data = array(
'name' => $name,
'last_name' => $last_name,
'age' => $age
);
$this->user_model->add_user_function($user_data);
型号:
function add_user_function($data);
{
$this->db->insert('user_table',$data);
return;
}
就像上面的SO链接的例子,是我的code vulerable SQL注入,可你给一个具体的例子,如果有可能伤害我的系统和哪能prevent如果它存在。
Just like the example in the SO link above , is my code vulerable to sql injection , can u give a particular example if it is possible to harm my system and how can i prevent if it exists.
推荐答案
目前已经有针对您的情况提供了codeIgniter。2安全功能
There are 2 safety features already provided by CodeIgniter for your case.
-
XSS过滤用户输入: 输入类有第二个布尔参数的方法,它可以让你通过一个XSS过滤器运行输入如果你没有对全球XSS过滤器。
XSS filtering for your user input : Input Class has second boolean parameter for its methods, which lets you run the input through a XSS filter in case you do not have global xss filter on.
有关SQL注入,使用绑定的查询和活动记录是安全的,这会节省你的SQL注入的框架做了所有逃避漏洞的用户输入的工作。很少有漏洞与活动的记录,报告用户说,他们不过很快就被codeIgnitor队固定suqsequent版本(EllisLabs)
For SQL injections, using binded queries and Active records is safe, it will save you from SQL injections as the framework does all of the work of escaping vulnerable user input. There are few vulnerabilities with Active records, that are reported by users, they are however fixed quickly in suqsequent releases by the CodeIgnitor team ( EllisLabs)
这篇关于为codeigniter - 活动记录容易受到SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
