php - xss filtering not removing single quotes in codeigniter -

i have been using codeigniter time found possibility of sql - injection in script

when user enter

<script>alert('hi') </script>  

in input field $this->security->xss_clean($field) remove scipts not take care of single quotes of string. because of getting query error as

error number: 37000

[microsoft][odbc sql server driver][sql server]incorrect syntax near 'hi'.

select * account field1 = '[removed]alert('hi') [removed]' , field2 = 'asdasd'

filename: d:\htdocs\system\database\db_driver.php

line number: 331

this typical xss string when user add 1' or '1'='1

no error being generated , query runs .

i know can solved str_replace("'","",$field);.

how can solve using codeigniter?

is there global filter problem ($config['global_xss_filtering'] = true;)so don't have add str_replace @ input functions.

is there way generate log every time data has been clead xss filtering?

you try protect against sql injection calling xss_clean. xss_clean protect against xss injections, not prevent sql injections. let me break down you:

sql injection: malicious user input, tries hack database on server side. user input contain sql code.

xss injection: malicious user input, tries hack (spy in cases) other users. user input contain javascript code.

you need protect against both, should understand difference.

read this sql injection prevention in codeigniter. can use prepared statements, or flourishlib. protection against xss, can use xss_clean, or can write simple code in plain php:

public static function protectarrayagainstxss(&$arr) {     foreach ($arr $index => $a) {         if (is_array($a)) {             app::protectarrayagainstxss($arr[$index]);         } else if ($a !== null) {             $arr[$index] = strip_tags($a);         }     } }