About sanitizing input

Sanitizing is more that just running your input through all sorts of filters.

Sanitizing your input is about not polluting your application with user data you don’t want.
The big question, though, what is it you don’t want?

First example

You’ve made a page, allowing a user to send a text message. Your expected input would be a phone number and a text message.
Looking at the Rule reference in the manual, I would probably go for these rules:


These rules as I would like to make sure that the input is nummeric and that the input matches the length of phonenumbers in my region. Since I already validate that the input is nummeric, I can assume that XSS and SQL injection attempts should fail (as these attacks contain non-nummeric characters).

For the text message field, I would use trim and required: trim|required as I don’t wan’t an empty message sent.

Second example

Allowing users to comment, is a good way to allow users to spam your site or inject malicious code.

Basically, what you wan’t is a name, an email and the comment.

All input needs to be required. The e-mail needs to validate. But the comment and name needs to have some cleaning of XSS and overhead spaces/line feeds.

My validation with sanitazion would look like this:

$this->form_validation->set_rules('name', 'Name', 'required|trim|xss_clean');
$this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');
$this->form_validation->set_rules('comment', 'Comment', 'required|trim|xss_clean');

Sanitize what you must – not what you can – and do the sanitaziton for what you need.
Make sure, when you insert the data to your backend to use the Active Record/Query Builder for escaping your input correctly or that your are using Query Bindings which does the same for you.

original source


Leave a Reply

Your email address will not be published. Required fields are marked *