XSS Prevention
XSS implies cross-site scripting. CodeIgniter accompanies XSS separating security. This channel will forestall any vindictive JavaScript code or whatever other code that endeavors to commandeer treat and do malevolent exercises. To channel information through the XSS channel, utilize the xss_clean() technique as demonstrated as follows.
$data = $this->security->xss_clean($data);
You should utilize this capacity just when you are submitting information. The discretionary second Boolean parameter can likewise be utilized to check picture record for XSS assault. This is valuable for record transfer office. On the off chance that its worth is valid, implies picture is sheltered and not something else.
SQL Injection Prevention
SQL infusion is an assault made on database question. In PHP, we are use mysql_real_escape_string() capacity to forestall this alongside different systems however CodeIgniter gives inbuilt capacities and libraries to forestall this.
We can forestall SQL Injection in CodeIgniter in the accompanying three different ways −
- Escaping Queries
- Query Biding
- Active Record Class
Escaping Queries
$this->db->escape() work consequently includes single statements around the information and decides the information type with the goal that it can get away from just string information.
<?php
$username = $this->input->post('username');
$query = 'SELECT * FROM subscribers_tbl WHERE user_name = '.
$this->db->escape($email);
$this->db->query($query);
?>
Query Biding
<?php
$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";
$this->db->query($sql, array(3, 'live', 'Rick'));
?>
In the above model, the question mark(?) will be supplanted by the cluster in the second parameter of inquiry() work. The primary bit of leeway of building question along these lines is that the qualities are naturally gotten away from which produce safe inquiries. CodeIgniter motor does it for you naturally, so you don't need to recollect it.
Active Record Class
<?php
$this->db->get_where('subscribers_tbl',array
('status'=> active','email' => 'info@arjun.net.in'));
?>
Utilizing dynamic records, question linguistic structure is produced by every database connector. It additionally permits more secure questions, since the qualities escape consequently.
Hiding PHP Errors
Underway condition, we frequently would prefer not to show any mistake message to the clients. It is acceptable on the off chance that it is empowered in the advancement condition for investigating purposes. These blunder messages may contain some data, which we ought not show to the site clients for security reasons.
There are three CodeIgniter documents related with mistakes.
PHP Error Reporting Level
Distinctive condition requires various degrees of mistake revealing. As a matter of course, improvement will show blunders however testing and live will shroud them. There is a document called index.php in root registry of CodeIgniter, which is utilized for this reason. On the off chance that we pass zero as contention to error_reporting() work then that will shroud all the blunders.
Database Error
Regardless of whether you have killed the PHP blunders, MySQL mistakes are as yet open. You can kill this in application/config/database.php. Set the db_debug choice in $db cluster to FALSE as demonstrated as follows.
$db['default']['db_debug'] = FALSE;
Error log
Another path is to move the mistakes to log records. Along these lines, it won't be shown to clients on the site. Basically, set the log_threshold esteem in $config cluster to 1 in application/cofig/config.php record as demonstrated as follows.
$config['log_threshold'] = 1;
CSRF Prevention
CSRF represents cross-site demand fabrication. You can forestall this assault by empowering it in the application/config/config.php record as demonstrated as follows.
$config['csrf_protection'] = TRUE;
At the point when you are making structure utilizing form_open() work, it will naturally embed a CSRF as shrouded field. You can likewise physically include the CSRF utilizing the get_csrf_token_name() and get_csrf_hash() work. The get_csrf_token_name() capacity will restore the name of the CSRF and get_csrf_hash() will restore the hash estimation of CSRF.
The CSRF token can be recovered each time for accommodation or you can likewise keep it same for the duration of the life of CSRF treat. By setting the worth TRUE, in config exhibit with key 'csrf_regenerate' will recover token as demonstrated as follows.
$config['csrf_regenerate'] = TRUE;
You can likewise whitelist URLs from CSRF insurance by setting it in the config exhibit utilizing the key 'csrf_exclude_uris' as demonstrated as follows. You can likewise utilize customary articulation.
$config['csrf_exclude_uris'] = array('api/person/add');
Password Handling
Numerous engineers don't have the foggiest idea how to deal with secret word in web applications, which is most likely why various programmers discover it so natural to break into the frameworks. One should remember the accompanying focuses while taking care of passwords −
- Try not to store passwords in plain-content configuration.
- Continuously hash your passwords.
- Try not to utilize Base64 or comparative encoding for putting away passwords.
- Try not to utilize powerless or broken hashing calculations like MD5 or SHA1. Just utilize solid secret phrase hashing calculations like BCrypt, which is utilized in PHP's own Password Hashing capacities.
- Absolutely never show or send a secret phrase in plain-content configuration.
- Try not to set pointless boundaries for your clients' passwords.