Codeigniter Framework Security Php frameworks are very popular nowadays because of their simplicity and usability. One of the great PHP frameworks is Codeigniter. Almost 80% of PHP programmers love the small footprint frameworks like Codeigniter. This framework is very tiny and lightweight for PHP application development. No matter frameworks are great or not we programmers …
Php frameworks are very popular nowadays because of their simplicity and usability. One of the great PHP frameworks is Codeigniter. Almost 80% of PHP programmers love the small footprint frameworks like Codeigniter. This framework is very tiny and lightweight for PHP application development.
No matter frameworks are great or not we programmers always think about the framework security itself. Most of the frameworks are great with security aspect in mind but we could extra workout of security to make it more secure than default security.
We are going to discuss the security strictness for the Codeigniter framework here somehow.
$data = $this->security->xss_clean($data);
You should use this function only when you are submitting data. The optional second Boolean parameter helps to check image file for XSS attack. This is useful for file upload facility. If its value is true, means the image is safe and not otherwise.
SQL injection is an attack made on database query. In PHP, we use mysql_real_escape_string() function to prevent this along with other techniques but CodeIgniter provides inbuilt functions and libraries to prevent this.
We can prevent SQL Injection in CodeIgniter in the following three ways −
$username = $this->input->post('username'); $query = 'SELECT * FROM subscribers_tbl WHERE user_name = '. $this->db->escape($email); $this->db->query($query);
$this->db->escape() function automatically adds single quotes around the data and determines the data type so that it can escape only string data.
$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?"; $this->db->query($sql, array(3, 'live', 'Rick'));
In the above example, the question mark(?) replaces by the array in the second parameter of query() function. The main advantage of building query this way is that the values automatically escapes which produce safe queries. CodeIgniter engine does it for you automatically, so you do not have to remember it.
$this->db->get_where('subscribers_tbl',array ('status'=> active','email' => 'email@example.com'));
Using active records, query syntax generates by each database adapter. It also allows safer queries, since the values escape automatically.
In a production environment, we often do not want to display an error message to the users. It is good if we enable it in the development environment for debugging purposes. These error messages may contain some information, which we should not show to the site users for security reasons.
There are three CodeIgniter files related with errors.
The different environment requires different levels of error reporting. By default, the development will show errors but testing and live will hide them. There is a file called index.php in the root directory of CodeIgniter, which is used for this purpose. If we pass zero as argument to error_reporting() function then that will hide all the errors.
Even if you have turned off the PHP errors, MySQL errors are still open. You can turn this off in application/config/database.php. Set the db_debugoption in $db array to FALSE as shown below.
$db['default']['db_debug'] = FALSE;
Another way is to transfer the errors to log files. So, it will not be displayed to users on the site. Simply, set the log_threshold value in $config array to 1 in application/cofig/config.php file as shown below.
$config['log_threshold'] = 1;
CSRF stands for cross-site request forgery. You can prevent this attack by enabling it in the application/config/config.php file as shown below.
$config['csrf_protection'] = TRUE;
When you are creating form using form_open() function, it will automatically insert a CSRF as hidden field. You can also manually add the CSRF using the get_csrf_token_name() and get_csrf_hash() function. The get_csrf_token_name() function will return the name of the CSRF and get_csrf_hash() will return the hash value of CSRF.
The CSRF token can be regenerated every time for submission or you can also keep it the same throughout the life of CSRF cookie. By setting the value TRUE, in config array with key ‘csrf_regenerate’ will regenerate token as shown below.
$config['csrf_regenerate'] = TRUE;
You can also whitelist URLs from CSRF protection by setting it in the config array using the key ‘csrf_exclude_uris’ as shown below. You can also use a regular expression.
$config['csrf_exclude_uris'] = array('api/person/add');
Many developers do not know how to handle password in web applications, which is probably why numerous hackers find it so easy to break into the systems. One should keep in mind the following points while handling passwords −
Thank you for your interest on . Please fill out the form below and send it to us.