How does Codeigniter handle escaping output?

Question

I am using CodeIgniter.

Recently, I read a PHP book and saw some functions to escape output to server to database using

*_escape_string()

and from server to browser using:

htmlentities()
htmlspecialchars()

In my Codeigniter application, how are these functions handled? Is it internally handled by the framework, or do I have to manually handle it?

In Ccodeigniter form validation I have seen xss_clean

$this->form_validation->set_rules('password', 'Password', 'required|xss_clean|min_length[6]|matches[confirmpassword]' );

Is xss_clean for preventing cross site scripting, or does it deal with the above I have mentioned?

Answer 1

If you're using the Active Record class, you generally don't need to escape anything you send to your database - it's done automatically:

http://codeigniter.com/user_guide/database/active_record.html

"It also allows for safer queries, since the values are escaped automatically by the system."

Manual escaping seems to be becoming a thing of the past, as most people are using PDO now for database interactions, using paramterized queries with placeholders instead of mashing SQL strings together. CI still uses the mysql_* functions internally though.

CI's xss_clean() is, in my opinion, more of a failsafe for those of us who don't know how and when to escape data properly. You normally don't need it. It's been the target of criticism both for it's slow, aggressive approach to sanitizing data, as well as for just "not being good enough".

For escaping HTML output, in most cases htmlspecialchars() is all you need, but you can use the xss_clean() function any time. I don't suggest using it as a form validation rule because it will corrupt your input, inserting [removed] wherever it found something "naughty" in the original string. Instead, you can just call it manually to clean your output.

Summary:

• Database: CI will (usually) escape the strings you pass to the Active Record class.
  See the user guide for details: http://codeigniter.com/user_guide/database/queries.html

• HTML output: You need to escape HTML output yourself with htmlspecialchars() or use CI's html_escape() function (as of 2.1.0). This is not done automatically because there's no way to know the context in which you are using the data.

• xss_clean() - If you know what you're doing, you shouldn't need it. Better to use on output than input.

Answer 2

Default CodeIgniter views are just PHP, so you can use htmlentities() and htmlspecialchars() in your view files.

For escaping data into the database (i.e. preventing SQL injection) CodeIgniter offers parameterised queries. Basically, put a ? in the SQl wherever you want to insert a peice of data, then supply all of the data in an array. See "Query Bindings" at http://codeigniter.com/user_guide/database/queries.html. Also on that page see "Escaping Queries" which describes the CI wrappers for the *_escape_string functions. However, query bindings/parameterised queries are a better approach.