Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Clean input
  • mgabrielromgabrielro
    Hy everyone,

    I have a question related to the security area.

    If I have a model (which extends the ORM model), do I have to 'clean' the POST / GET / .... parameters, before doing this :

    $username = Input::param('username');
    $paswword = Input::param('paswword');

    Model_Patient::query()->where('username', $username)->where('password', $password)->get_one()

    or is everything cleaned because of the ORM usage ?


    Should I use the next variant :

    $patient = DB::query("SELECT * FROM patients WHERE `username` = :username AND `password` = :password ORDER BY `id` LIMIT 1")
                            ->param('username', $username)
                            ->param('password', $password)
                            ->as_object('Model_Patient')
                            ->execute();

    Which one gives me more security against SQL injections. Or none of them is enough against SQL injections ?

    Which is the 'best practice' variant through Fuel, when I receive POST / GET / ... variables. How should I treat them, in order to have clean variables ?
  • HarroHarro
    Accepted Answer
    The ORM, like the DB query builder, will fully protect you against SQL injections. You don't need to take any additional action for that.

    The Framework doesn't clean anything by default. Fuel is build on the principle of "do not modify input, and encode everything on output". This improves performance (no unneeded xss cleaning on every input field), it ensures that all data stored is exactly how it was input, no magic modifcations (some will say mutilations), and all output of data is rendered harmless due to the encoding.

    This means that if someone enters "<script>alert('Hello!');</script>" in an input field, it will be stored in the database exactly like that. When you send this data to a view, it will be html encoded, so if you echo it in the view, you will see "<script>alert('Hello!');</script>" again (as text), and not the javascript popup.

    This however means that you have to be VERY careful with what you send to a view with encoding disabled.

    If you insist on cleaning, you can define input filters in your application config (for example "Security::xss_clean") which will filter all input fields, or you can call xss_clean() manually in your controller to specifically clean individual fields.
  • mgabrielromgabrielro
    So practically both of the above variants are OK, meaning that I am protected.

    But if I have :

    $username = Input::param('username');
    $paswword = Input::param('paswword');

    $query = 'SELECT * FROM patients WHERE username = '.$username.' AND password = '.$password;
    $result = DB::query($query)->execute();

    I am still protected or I have to bind the parameters in order to be protected ?
  • HarroHarro
    No.

    When you handcraft a query, you have to deal with anything yourself. But it is (almost) never needed to do so, the query builder works fine:

    $result = DB::select()
        ->from('patients')
        ->where('username', '=', $username)
        ->where('password, '=', $password)
        ->execute();

    On a side note, this looks like part of a login. Why code that up yourself when you have the Auth package that will do that all for you, and more secure?
  • mgabrielromgabrielro
    Thanks for your answer.

    I have to work on an older code, and we didn't implement Simpleauth or Ormauth, so practically I have to login a patient or a doctor, based on what we have in their tables :(
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion