+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: Protecting a CI site (/showthread.php?tid=73491)
Protecting a CI site - MarkWS7M - 04-29-2019
Hi All,
It seems like the protections in CI are pretty good. From what I can see/read:
Remote execution: This can be handled with careful crafting of htaccess and the fact that CI files all start with the "no direct script access" code.
SQL injection: Seems to be handled by the post methods in CI which filters for this. Is this correct?
XSS attacks. Seems to be a built in filter in CI takes care of this.
I also see the DB class has escape functions.
So all the posts on the web about needing/requiring PDO seem like perhaps CI can take care of most all concerns.
What else are people doing?
My plans for our site are:
1) Registrations will be protected so that the same IP can't flood the system with registration requests. IE registering too fast.
2) Registrations require a valid email to complete or they automatically delete in 7 days.
3) I plan to use all hints in CI about how to fill data in SQL statements to prevent security holes
4) MD5 for passwords
etc.
Just wondering what the masses using CI are doing as well to make robust strong sites.
thanks in advance!
RE: Protecting a CI site - InsiteFX - 04-29-2019
Use https://
Secure Socket Layer.
RE: Protecting a CI site - Avega Soft - 04-29-2019
(04-29-2019, 02:53 PM)MarkWS7M Wrote: Hi All,
It seems like the protections in CI are pretty good. From what I can see/read:
Remote execution: This can be handled with careful crafting of htaccess and the fact that CI files all start with the "no direct script access" code.
SQL injection: Seems to be handled by the post methods in CI which filters for this. Is this correct?
XSS attacks. Seems to be a built in filter in CI takes care of this.
I also see the DB class has escape functions.
So all the posts on the web about needing/requiring PDO seem like perhaps CI can take care of most all concerns.
What else are people doing?
My plans for our site are:
1) Registrations will be protected so that the same IP can't flood the system with registration requests. IE registering too fast.
2) Registrations require a valid email to complete or they automatically delete in 7 days.
3) I plan to use all hints in CI about how to fill data in SQL statements to prevent security holes
4) MD5 for passwords
etc.
Just wondering what the masses using CI are doing as well to make robust strong sites.
thanks in advance!
Don't use MD5 for hashing the password. Use a speacial php-functions password_hash and password_verify for that.
RE: Protecting a CI site - michael.j - 05-03-2019
Yeah - don't use md5. You should go with bcrypt or argon2 as they provide more options to hash passwords. For example cost(10) is the standard cost for hashing passwords with bcrypt. Higher values result in stronger hashes but need more hardware power. I currently use bcrypt with cost of 14. Same for Argon2 algorythm, which provides options for "memory_cost", "time_cost" and "threads".