CodeIgniter: How to provide Security

The security is principle significance part of any site. Each client needs to secure there locales from any vindictive exercises. We needs to secure from database infusion operation. There additionally keeps secret word from any vindictive client at submiting structure information. In the event that we gives plain content then any malignant client begin for that sorts of exercises.

The Below step for providing secruirty:

XSS Prevention: XSS implies cross-site scripting. It averts execution of any scription level dialects like javascript. Malevolent client attempt to print any frame submiting sql question or factors. So,it channel such sorts of javascript dialects and clean these sorts of information utilizing underneath orders:

$data = $this->security->xss_clean($data);

You should utilize this summon amid frame submiting process. The reason is vindictive client dependably assault while submiting structure. The discretionary second Boolean parameter can likewise be utilized to check picture petition for XSS assault. This is helpful for document transfer office. In the event that its esteem is valid, implies picture is protected and not something else.

SQL Injection Prevention:

This sorts of assault on the database inquiry. In PHP, we are utilize mysql_real_escape_string() capacity to keep this alongside different strategies however CodeIgniter gives inbuilt capacities and libraries to keep this. The fundamental rationale is it gives string operation not parameter substitution approach.

We can prevent SQL Injection in CodeIgniter in the following three ways −

  1. Escaping Queries
  2. Query Biding
  3. Active Record Class

Escaping Queries: we used below commands for adds single quotes around the data. It also determines the data types, so it can only esclap the string data only.

$email= $this->input->post('email');
$query = 'SELECT * FROM newletter_tbl WHERE email = '.

Query Biding:

$sql = "SELECT * FROM news_letter WHERE id = ? AND status = ? AND email = ?";
$this->db->query($sql, array(3, 'live', ''));

In the above example, the question mark(?) will be replaced by the array in the second parameter of query() function which defines values from user side. The main advantage of building query this way is that the values are automatically escaped which produce safe queries and does not user needs to check its type. CodeIgniter engine does it for you automatically, so you do not have to remember it, each time it generate new query.

Active Record Class:

      ('status'=> active','email' => ''));

Using this methods, query syntext is generated by each data adapter.It also safar any adapter string so that values are escape automatically to prevents any attacks.

Hiding PHP Errors:

Underway environment, we don't show any blunder messages. On the off chance that we show any mistake messages that contains data about site data. It is useful for investigating purposes.

There are three CodeIgniter files related with errors.

PHP Error Reporting Level

Distinctive environment requires diverse levels of blunder announcing like testing or other. As a matter of course, improvement will demonstrate blunders however testing and live will conceal them for secruity resons. There is a document called index.php in root catalog of CodeIgniter, which is utilized for this reason. On the off chance that we pass zero as contention to error_reporting() work then that will conceal every one of the mistakes and - 1 for show all blunder messages.

Database Error

Even if you have turned off the PHP errors, MySQL errors are still open and it must be disable to display an error . You can turn this off in application/config/database.php. Set the db_debug option in $db array to FALSE as shown below.

$db['default']['db_debug'] = FALSE;

Error log

Another way is to transfer the errors to log files. So, it will not be displayed to users on the site. Simply, set the log_ threshold value in $config array to 1 in application/cofig/config.php file as shown below.

$config['log_threshold'] = 1;

Password Handling

Many developers do not know how to handle password in web applications, which is probably why numerous hackers find it so easy to break into the systems. One should keep in mind the following points while handling passwords −

  1. DO NOT store passwords in plain-text format.

  2. Always hash your passwords and does not use encryption it may decrypt the password. And Hasing does not decrypt.

  3. DO NOT use Base64 or similar encoding for storing passwords.

  4. DO NOT use weak or broken hashing algorithms like MD5 or SHA1. MD5 is encryption algorithm and Sha1 is hasing algorithm, but it is very old.Only use strong password hashing algorithms like BCrypt, which is used in PHP’s own Password Hashing functions.

  5. DO NOT ever display or send a password in plain-text format. Always use decryption text only.

  6. DO NOT put unnecessary limits on your users’ passwords.

CSRF Prevention

CSRF stands for cross-site request forgery. You can prevent this attack by enabling it in the application/config/config.php file as shown below.

$config['csrf_protection'] = TRUE;

When you are making structure utilizing form_open() work, it will naturally embed a CSRF as concealed field. You can likewise physically include the CSRF utilizing the get_csrf_token_name() and get_csrf_hash() work. The get_csrf_token_name() capacity will give back the name of the CSRF and get_csrf_hash() will give back the hash estimation of CSRF.

The CSRF token can be recovered each time for accommodation or you can likewise keep it same for the duration of the life of CSRF treat. By setting the esteem TRUE, in config exhibit with key "csrf_regenerate" will recover token as demonstrated as follows.

$config['csrf_regenerate'] = TRUE;

You can also whitelist URLs from CSRF protection by setting it in the config array using the key ‘csrf_exclude_uris’ as shown below. You can also use regular expression.

$config['csrf_exclude_uris'] = array('api/person/add');


Let's Think together, Say Something !