Security issues

Valtasar · January 17, 2018

Hi,

Now that I have almost finished converting *a lot* of code from IPS3 to IPS4, I start to worry about security issues:

Here it states that: "This means that all request data should be considered potentially tainted and you will need to take precautions not to introduce security issues by relying upon "clean" request data from this class.". But what exactly is the best way to do this "cleaning", before, e.g. inserting a user text in the database?

Back in IPS3, I just used: "$this->DB->addSlashes" and I felt quite secure. Is there something similar I can do in IPS4, because I have a lot of code, and converting all my forms to use the new IPS4 Form Helper may not be so easy....

bfarber · January 18, 2018

Your best bet is to use prepared statements where possible. For inserts and updates this is handled automatically, except in the where clause where you would do

array( 'column=?', $value )

We do not "clean" the data on insert, we clean it on output. In templates this is largely handled automatically, and when you need to display a raw value that may legitimately contain HTML you use the |raw modifier.

Invision Community 4: SEO, prepare for v5 and dormant account notifications

Invision Community 5: Beta testing and latest updates

Invision Community 4: A more professional report center

Invision Community 5: A video walkthrough creating a custom theme and homepage

Security issues

Recommended Posts

Valtasar

bfarber

Archived

Recently Browsing 0 members

More