Codeigniter 插入批处理的安全性？视频教程_Codeigniter_Xss

Codeigniter 插入批处理的安全性？视频教程

codeigniter

Codeigniter 插入批处理的安全性？视频教程,codeigniter,xss,Codeigniter,Xss,如果我使用insert_batch，有人知道如何防止用户在codeigniter上输入吗？对不起，英语不好代码是这样的 $data[] = array( 'id_invoice' => $this->input->post('id_invoice'), 'id_product' => $key['id_product'], 'id_fa

如果我使用insert_batch，有人知道如何防止用户在codeigniter上输入吗？对不起，英语不好代码是这样的

$data[] = array(
                    'id_invoice'    =>  $this->input->post('id_invoice'),
                    'id_product'    =>  $key['id_product'],
                    'id_fabrics'    =>  $key['id_fabric'],
                    'id_option'     =>  $id_option,
                    'name'          =>  $key['name'],
                    'number'        =>  $key['number'],
                    'id_size'       =>  $key['size'],
                    'comment'       =>  $key['comment']);

$this->orders->insert_order_mix($data);

然后像这样使用insert-batch

$data[] = array(
                    'id_invoice'    =>  $this->input->post('id_invoice'),
                    'id_product'    =>  $key['id_product'],
                    'id_fabrics'    =>  $key['id_fabric'],
                    'id_option'     =>  $id_option,
                    'name'          =>  $key['name'],
                    'number'        =>  $key['number'],
                    'id_size'       =>  $key['size'],
                    'comment'       =>  $key['comment']);

$this->orders->insert_order_mix($data);

我认为您对批量插入的概念感到困惑。请仔细了解批量插入。现在，对于你的问题，正如前面所说的，现在关注安全是非常好的

始终筛选输入和转义输出，从不信任数据

您可以使用来保护您的数据

例如

或

此外，您可以通过在表单中使用避免跨站点请求伪造

谢谢您的回答，我不确定您的回答，因为我使用ajax获取数据，数据是数组格式的，这是我在controller上处理的代码

if (!$this->input->is_ajax_request()) {
        exit('No direct script access allowed');
    } else {
        $input = $this->input->post('ar_dat');
        $option = $this->input->post('list_option');
        if ($option == null){
            $id_option = '';
        } else {
            $id_option = implode(',',$option);
        }
        foreach ($input as $key) {
            $data[] = array(
                'id_invoice'    =>  $this->input->post('id_invoice'),
                'id_product'    =>  $this->input->post('id_product'),
                'id_fabrics'    =>  $this->input->post('id_fabric'),
                'id_option'     =>  $id_option,
                'name'          =>  $key['name'],
                'number'        =>  $key['number'],
                'id_size'       =>  $key['size'],
                'comment'       =>  $key['comment']);
        }
        $this->orders->insert_order_uniform($data);
    }

如此简单，您可以从用户输入中删除滥用标记和数据

此方法使用[removed]关键字清除所有滥用数据

如果用户可以输入任何脚本，那么XSS过滤将按照以下步骤删除

$name = '<script>Your Name</script>';
echo $name; // Output : <script>Your Name</script>

// But you use XSS then output is change as per below

$name = '<script>Your Name</script>';
$name = $this->security->xss_clean($name);
echo $name; // Output : [removed]Your Name[removed]

使用

$this->input->post（'id\u invoice'，true）

中的第二个参数

true

，以防止注射。我正在尝试您的建议，但有相同的输出我的最终操作可能需要使用htmlspecialchars，谢谢您的回答

$name = '<script>Your Name</script>';
echo $name; // Output : <script>Your Name</script>

// But you use XSS then output is change as per below

$name = '<script>Your Name</script>';
$name = $this->security->xss_clean($name);
echo $name; // Output : [removed]Your Name[removed]

// Change global_xss_filtering value FALSE to TRUE;
/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = TRUE;