CodeIgniter Forums
CodeIgniter and Security - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forum-5.html)
+--- Forum: Choosing CodeIgniter (https://forum.codeigniter.com/forum-8.html)
+--- Thread: CodeIgniter and Security (/thread-70403.html)



CodeIgniter and Security - dennisphartz - 04-05-2018

I am a newbie to coding. I've been in it for just over a month. PHP was my beginning and now I am looking to learn a framework and CodeIgniter was suggested by one of my friends who is a developer. Coming from finance this is a tough period of transition for me and I want to make this right. So last day I was talking to another friend who works in IT, I think his company does IT security services.So I asked for his advice on my career change and he said only one thing "Only learn things that are secure because cybersecurity is the next big problem for IT."
This has actually got me thinking. I know there are a lot of experts here. What can all of you tell about the security of CodeIgniter? Is it really secure enough? I am eagerly waiting for your opinions.



RE: CodeIgniter and Security - dmyers - 04-05-2018

I guess this question for me needs more input are your talking about the security of your files or security of your data? File security is controlled mostly by your Web Server. CodeIgniter can be setup so that only the index.php file is "available" in the publicly accessible "root" folder. In addition if you still setup your CodeIgniter Application where you have everything in your public "root" folder (which I don't recommend) CI still includes

PHP Code:
defined('BASEPATH') OR exit('No direct script access allowed'); 

at the top of every CodeIgniter File and you should do the same. Again, I recommend just putting every below the public root and exposing just index.php. Then make sure your Web Server is setup correctly.

When it comes to your data you need to clear your form input and make sure your database is secure. Make sure the web site database user has the minimum needed permissions to do it's job. Don't use the DB root login!

You can easily clean your form input using the form validation library https://www.codeigniter.com/user_guide/libraries/form_validation.html as well as the Security Class https://www.codeigniter.com/user_guide/libraries/security.html.

Even after validating the input make sure you escape your output https://www.codeigniter.com/user_guide/helpers/form_helper.html?highlight=escape

Following that should get you headed in the right direction.

DMyers