Need help - Should I use my security class within models or controllers?

[Ivan Ivković]

I have a "Security" class, a set of methods for input processing 'n stuff.

Should I use this in my models or controllers? (MODEL: Processing input within the model like... uploading image CONTROLLER : on the page controller, before loading models.)

It seems as if in the models it's too often used, maybe reduces performance?

As for programming theory, which way should I go?

[trq]

Without knowing exactly what this *security* class does we couldn't say.

[Ivan Ivković]

"I have a "Security" class, a set of methods for input processing 'n stuff."

 

I think I said it all but ok, here's more.

 

SQL injection, HTML stripping, checking for select values if they're numeric or not null, do select values offers exist and stuff.

[trq]

SQL injection, HTML stripping, checking for select values if they're numeric or not null, do select values offers exist and stuff.

 

That does not sound like it belongs in a single class.

 

We seriously can't help without seeing code.

[Ivan Ivković]

<?php

# General input security.
class Security{

private $db;

public function __construct($db){
	$this -> db = $db;
}

# Processing all input type="text" inputs.
public function secureTextInput($string){
	$string = stripslashes($string);
	$string = $this -> db -> real_escape_string($string);
	return $string;
}

# Processing all numeric inputs (select values etc...)
public function checkNum($num){
	if(!is_numeric($num) && $num != 0){
		return false;
	}else{
		return $num;
	}
}

# Processing all textareas with more content.
public function secureTextArea($string){
	$string = nl2br($string);
	$string = $this -> secureTextInput($string);
	$string;
}

}

This is an example of it.

[Ivan Ivković]

Something like..

 

http://codeigniter.com/user_guide/libraries/security.html

[scootstah]

I don't really understand your question. What's the point of making a class if you're not going to use it?

 

And I'm with thorpe, I think you are violating some OOP principles here.

[Ivan Ivković]

I am using it. :S

[gizmola]

If you use pdo or mysqli with bind variables, there is no need to worry about SQL injection.  With pdo::prepare as an example, you eliminate the need to escape data AND eliminate sql injection concerns.  I highly recommend that approach.

 

In terms of the other things you have, typically they are of concern with form processing, and many frameworks provide form building classes which let you specify validation routines that bake in security, as well as additional user defined validation rules.  So strictly speaking, this would not be code in either the controller or the model but in a form handling class.  Take a look at symfony2 and zend framework for some examples of how more sophisticated frameworks approach the problem.

 

Last but not least, XSS is something that can be neutralized in the way content is displayed.  Frameworks that have templating in support of the view layer, can cook data when injecting it into the view, to insure that no active XSS is rendered.