插入批次的安全性?代码点火器
security on insert batch? codeigniter
如果我使用 insert_batch,谁能知道如何在 codeigniter 上阻止用户输入?对不起英语不好
像这样的代码
$data[] = array(
'id_invoice' => $this->input->post('id_invoice'),
'id_product' => $key['id_product'],
'id_fabrics' => $key['id_fabric'],
'id_option' => $id_option,
'name' => $key['name'],
'number' => $key['number'],
'id_size' => $key['size'],
'comment' => $key['comment']);
并像这样使用插入批处理
$this->orders->insert_order_mix($data);
我认为您对批量插入的概念感到困惑。请 READ THIS 更好地理解批量插入。现在针对您的问题,正如所说
这些天关注安全性非常好
Always filter input and escape output, Never trust data.
您可以使用 Codeigniter Security Class 来保护您的数据。
例如
$data=$this->security->xss_clean($this->input->post());
或
$postData=$this->input->post();
$data=$this->security->xss_clean($postData);
此外,您可以通过在表单中使用 CSRF token 来避免跨站请求伪造
感谢您的回答,我不确定您的回答,因为我正在使用 ajax 获取数据,并且数据是数组格式的,这是我在控制器上处理的代码
if (!$this->input->is_ajax_request()) {
exit('No direct script access allowed');
} else {
$input = $this->input->post('ar_dat');
$option = $this->input->post('list_option');
if ($option == null){
$id_option = '';
} else {
$id_option = implode(',',$option);
}
foreach ($input as $key) {
$data[] = array(
'id_invoice' => $this->input->post('id_invoice'),
'id_product' => $this->input->post('id_product'),
'id_fabrics' => $this->input->post('id_fabric'),
'id_option' => $id_option,
'name' => $key['name'],
'number' => $key['number'],
'id_size' => $key['size'],
'comment' => $key['comment']);
}
$this->orders->insert_order_uniform($data);
}
So Simple You can remove abuse tags and data from user input
//Change This
$this->orders->insert_order_mix($data);
// to
$data = $this->security->xss_clean($data); // You have to clean Data with XSS Filtering
$this->orders->insert_order_mix($data);
此方法使用 [已删除] 关键字清除所有滥用数据
如果用户可以输入任何脚本,则 XSS 过滤将按以下方式删除
$name = '<script>Your Name</script>';
echo $name; // Output : <script>Your Name</script>
// But you use XSS then output is change as per below
$name = '<script>Your Name</script>';
$name = $this->security->xss_clean($name);
echo $name; // Output : [removed]Your Name[removed]
Or You can use very simple with edit your config file
// Change global_xss_filtering value FALSE to TRUE;
/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = TRUE;
如果我使用 insert_batch,谁能知道如何在 codeigniter 上阻止用户输入?对不起英语不好 像这样的代码
$data[] = array(
'id_invoice' => $this->input->post('id_invoice'),
'id_product' => $key['id_product'],
'id_fabrics' => $key['id_fabric'],
'id_option' => $id_option,
'name' => $key['name'],
'number' => $key['number'],
'id_size' => $key['size'],
'comment' => $key['comment']);
并像这样使用插入批处理
$this->orders->insert_order_mix($data);
我认为您对批量插入的概念感到困惑。请 READ THIS 更好地理解批量插入。现在针对您的问题,正如所说
这些天关注安全性非常好Always filter input and escape output, Never trust data.
您可以使用 Codeigniter Security Class 来保护您的数据。
例如
$data=$this->security->xss_clean($this->input->post());
或
$postData=$this->input->post();
$data=$this->security->xss_clean($postData);
此外,您可以通过在表单中使用 CSRF token 来避免跨站请求伪造
感谢您的回答,我不确定您的回答,因为我正在使用 ajax 获取数据,并且数据是数组格式的,这是我在控制器上处理的代码
if (!$this->input->is_ajax_request()) {
exit('No direct script access allowed');
} else {
$input = $this->input->post('ar_dat');
$option = $this->input->post('list_option');
if ($option == null){
$id_option = '';
} else {
$id_option = implode(',',$option);
}
foreach ($input as $key) {
$data[] = array(
'id_invoice' => $this->input->post('id_invoice'),
'id_product' => $this->input->post('id_product'),
'id_fabrics' => $this->input->post('id_fabric'),
'id_option' => $id_option,
'name' => $key['name'],
'number' => $key['number'],
'id_size' => $key['size'],
'comment' => $key['comment']);
}
$this->orders->insert_order_uniform($data);
}
So Simple You can remove abuse tags and data from user input
//Change This
$this->orders->insert_order_mix($data);
// to
$data = $this->security->xss_clean($data); // You have to clean Data with XSS Filtering
$this->orders->insert_order_mix($data);
此方法使用 [已删除] 关键字清除所有滥用数据
如果用户可以输入任何脚本,则 XSS 过滤将按以下方式删除
$name = '<script>Your Name</script>';
echo $name; // Output : <script>Your Name</script>
// But you use XSS then output is change as per below
$name = '<script>Your Name</script>';
$name = $this->security->xss_clean($name);
echo $name; // Output : [removed]Your Name[removed]
Or You can use very simple with edit your config file
// Change global_xss_filtering value FALSE to TRUE;
/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = TRUE;