• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Starting with CodeIgniter setup: suggestions & best practices


Read up on SQL injection, XSS (CSS), CSRF (XSRF) and understand them before you decide if you need measures against them or not. Also read up in the CI user guide on the security guidelines and XSS filtering from the Input class. Probably the most important guidline is to validate and check all the input from users before any kind of interaction with your database, filesystem, etc.
There's a pretty good overview of all the issues and some solutions Writing secure PHP.

SQL Injection
Using CI's Active Record should take care of this problem.

Be aware which parts of your site are vulnerable to attacks of this kind and be sure to filter all user input when you can't be a 100% sure the user is to be trusted.

As of CI2.0 support for tokens is built in, this is explained on the bottom of the Security class docs. To learn more you can do a google search on "CSRF tokens" for protecting simple form submissions and actions done by URL. Or for AJAX operations search Google for "double cookie submission".

Always protect your email forms, comment forms and any other kind of free user submitted data against spamming. The easy way is to only allow each IP/User agent to submit once every minute, while that doesn't protect against hackers & bots it does protect you against the usual internet trolls.
The best way is to use Captcha like reCAPTCHA to protect email & comment forms on your website. You can search the forums on how to intergrate reCAPTCHA with CI. CI2 also provides a CAPTCHA helper.

Write good clean code and understand your code, don't just copy paste the stuff others wrote and always look for ways to improve your code. Just never ever sacrifice security for performance. The PHP Style guide from the CodeIgniter manual is a very good place to learn to write better code.

Don't Repeat Yourself. Put shared code where it belongs: in libraries, helpers or models, but not in controllers. Definite rule of thumb: when you're copy-pasting code, you probably just put it in the wrong place for a second time.

Caching is a pretty good way to improve performance, especially the ammount of database operations needed can be scaled back easily by using cache. Take a look into page caching & database caching, and Caching drivers.

HTTP headers
On the client side you can improve performance by sending HTTP headers along that instruct the browser to keep your stuff in it's cache. This is also good to read up on when using AJAX because you'll need to disable browser-cache for those operations. Google it!

Example for AJAX return data (that shouldn't be browser-cached at all):
$this->output->set_header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
$this->output->set_header("Cache-Control: no-store, no-cache, must-revalidate");
$this->output->set_header("Cache-Control: post-check=0, pre-check=0", false);
$this->output->set_header("Pragma: no-cache");

Example for things that should be kept for a long time (like css, javascripts):
$this->output->set_header('Cache-Control: private, pre-check=0, post-check=0, max-age=2592000');
$this->output->set_header('Expires: ' . gmstrftime("%a, %d %b %Y %H:%M:%S GMT", time() + 2592000));
$this->output->set_header('Last-Modified: ' . gmstrftime("%a, %d %b %Y %H:%M:%S GMT", time() - 20));

Database access & ORM
CodeIgniter has a library called Active Record (AR) that can help you write your queries without writing any SQL. It's pretty powerful and the better way to go when you're no SQL expert or aren't sure how to protect your queries against SQL injections.

When you need more power an Object Relational Mapper (ORM) might be the thing for you, and while CI doesn't come with an ORM there are some options out there that are all very good.
The most populair is probably DataMapper OverZealous Edition (DMZ). Others are Doctrine (there's a tutorial on PHP and stuff) and RapidDataMapper.

User auth & ACL
A very much debated topic since it doesn't come with CI and there are as many who think it should, as there are who think the opposite. All I can advise you on this is to search the forums and look for a system that's still active, has good security and that intergrates easily into your application. Or research the examples and write your own.

At this point I would recommend Ion Auth, it's very well written and probably alot better than you'd write on your first try. And if you are planning on writing your own, read through it for inspiration.

Anything else?
Search the forums and the wiki, and if you can't find it you can always ask.

Did I forget anything or get anything wrong? Reply and I'll look into into it.

Messages In This Thread
Starting with CodeIgniter setup: suggestions & best practices - by El Forum - 08-08-2009, 11:59 AM

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.