CodeIgniter Security Class
CodeIgniter contain security class strategies which will assist with making a protected application and procedure input information. The techniques are given beneath.
- XSS Filtering
- CSRF (Cross-site Request Forgery)
- Class Reference
XSS Filtering
XSS represents Cross-site Scripting. It is utilized to debilitate JavaScript or different kinds of code that attempt to seize treats and perform other sort of vindictive acts. At the point when it experiences anything unsafe, it is rendered safe by changing over the information to character elements.
XSS separating utilizes xss_clean() technique to filer information.
$data = $this->security->xss_clean($data);
There is a discretionary second parameter, is_image, which is utilized to test pictures for XSS assaults. At the point when this parameter is set to TRUE, it doesn't restore a changed string, rather it returns TRUE if picture is sheltered and FALSE on the off chance that it contains malevolent data.
if ($this->security->xss_clean($file, TRUE) === FALSE)
{
//file failed in xss test
}
CSRF (Cross-site Request Forgery)
To empower CSRF do the accompanying settings in application/config/config.php document.
$config['csrf_protection'] = TRUE;
In the event that you are utilizing structure aide, at that point a covered up csrf field will be naturally embedded in your form_open()/field.
Else, you can physically include it utilizing,
get_csrf_token_name() (it returns name of csrf) and
get_csrf_hash() (it returns estimation of csrf).
Created tokens might be kept same for the duration of the life of CSRF treat or might be recovered on each accommodation. The default age of token gives a superior security yet it likewise have ease of use worries as different tokens like numerous tabs/windows, offbeat activities, and so forth become invalid. Recovery conduct can be set in application/config/config.php record as demonstrated as follows.
$config['csrf_regenerate?] = TRUE;
Class Reference
Class CI_Security
xss_clean ($str [, $is_image = FALSE])
Parameters - $str (blended) ? input string or a variety of strings
Returns - XSS-clean information
Return-type - blended
From input information it evacuates XSS endeavors and returns the spotless string.
Sanitize_filename ($str [, $relative_path = FALSE])
Parameters - $str (string) ? Record name/way
$relative_path (bool) ? Regardless of whether tp save any catalogs in the document way
Returns - Sanitized record name/way
Return-type - string
It forestalls registry traversal and other security dangers by cleaning filenames. It is basically helpful for documents which were provided by means of client input.
Entity_decode (($str [, $charset = NULL])
Parameters - $str (string) ? Info string
$charset (string) ? Character set of the info string
Returns - Entity-decoded string
Return-type - string
It attempts to identify HTML elements that don't end in a semicolon since some program permits that.
$charset parameter is left unfilled, at that point your design an incentive in $config['charset'] will be utilized.
Get_random_bytes ($length)
Parameters - $length (int) ? Yield length
Returns - A twofold arrangement of arbitrary bytes or FALSE on disappointment.
Return-type - string
It is utilized for producing CSRF and XSS tokens.