In this tutorial you will learn about CodeIgniter Security.

CodeIgniter XSS Prevention

XSS means scripting cross-site. CodeIgniter comes with security for filtering XSS. This filter prevents any JavaScript malicious code or other code that attempts to hijack cookies and perform malicious activities. Use the xss_clean() method as shown below to filter data through the XSS filter.

$data = $this->security->xss_clean($data);

You should only use this function when submitting data. The second optional boolean parameter can also be used to check the XSS attack image file. This is useful for uploading files. If its value is true, the image is not safe.

CodeIgniter SQL Injection Prevention

SQL injection is an attack on the query database. In PHP, we use the mysql_real_escape_string() function to prevent this and other techniques, but CodeIgniter provides built-in functions and libraries to prevent this.

In CodeIgniter, we can prevent SQL injection in three ways. −

  • Escaping Queries
  • Query Biding
  • Active Record Class

Escaping Queries

<?php
   $username = $this->input->post('username');
   $query = 'SELECT * FROM subscribers_tbl WHERE user_name = '.
      $this->db->escape($email);
   $this->db->query($query);
?>

The function $this->db->escape() automatically adds single quotes to the data and determines the data type so that only string data can be escaped.

Query Biding

<?php
   $sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";
   $this->db->query($sql, array(3, 'live', 'Rick'));
?>

In the example above, the question mark (?) is replaced with an array in the second query() function parameter. The main advantage of building queries in this way is that the values that produce safe queries are automatically escaped. The CodeIgniter engine automatically does it for you, so you don’t have to remember.

Active Record Class

<?php
   $this->db->get_where('subscribers_tbl',array
      ('status'=> active','email' => 'info@arjun.net.in'));
?>

The query syntax is generated by each database adapter using active records. It also allows safer queries, as the values automatically escape.

Hiding PHP Errors

In production environment, we often do not want to display any error message to the users. It is good if it is enabled in the development environment for debugging purposes. These error messages may contain some information, which we should not show to the site users for security reasons.

There are three error-related CodeIgniter files.

PHP Error Reporting Level

Different settings require different levels of reporting errors. Default is that development shows errors, but live testing hides them. There is a file named index.php in the CodeIgniter root directory that is used for that purpose. If we pass zero to error_reporting() as an argument, all errors will be hidden.

Database Error

Even if the PHP errors are switched off, MySQL errors are still open. This can be turned off in app/config/database.php file. Set the db debug option to FALSE in the $db array as shown below.

$db['default']['db_debug'] = FALSE;

Error log

It is also possible to transfer the errors to log files. Therefore, it will not be shown to users on the site. Set the log threshold value to 1 in the application/cofig/config.php file in the $config array as shown below.

$config['log_threshold'] = 1;

CSRF Prevention

CSRF stands for forgery of cross – site requests. This attack can be prevented by enabling it in the app/config/config.php file as shown below.

$config['csrf_protection'] = TRUE;

It automatically inserts a CSRF as a hidden field when you create a form using the form_open() function. You can also add the CSRF manually with the get_csrf_token_name() function and get_csrf_hash(). The get_csrf_token_name() function returns the CSRF name and get_csrf_hash() returns the CSRF hash value.

The CSRF token can be regenerated at any time or you can keep it the same throughout the CSRF cookie life. By setting the value TRUE, the key ‘csrf regenerate’ in the config array will regenerate the token as shown below.

$config['csrf_regenerate'] = TRUE;

You can also whitelist CSRF protection URLs using the’ csrf exclude uris’ key, as shown below, in the config array.

$config['csrf_exclude_uris'] = array('api/person/add');

Password Handling

Many developers can not handle passwords in web applications, which is probably why it is so easy for many hackers to break into the systems. The following points should be kept in mind when handling passwords

  • Do not store plain – text passwords.
  • Take your passwords always in hash.
  • Do NOT use Base 64 or similar password storage encoding.
  • DO NOT use weak or broken hashing algorithms like MD5 or SHA1. Only use strong password hashing algorithms like BCrypt, which is used in PHP’s own Password Hashing functions.
  • Do NOT ever display or send a plain text password.
  • Do NOT place unnecessary limits on the passwords of your users.