Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Starting with CodeIgniter setup: suggestions & best practices
Starting with CodeIgniter setup: suggestions & best practices
  • El Forum
    Guest
  •  
#2
08-08-2009, 11:59 AM

[eluser]Jelmer[/eluser]
Security

Read up on SQL injection, XSS (CSS), CSRF (XSRF) and understand them before you decide if you need measures against them or not. Also read up in the CI user guide on the security guidelines and XSS filtering from the Input class. Probably the most important guidline is to validate and check all the input from users before any kind of interaction with your database, filesystem, etc.
There's a pretty good overview of all the issues and some solutions Writing secure PHP.

SQL Injection
Using CI's Active Record should take care of this problem.

XSS
Be aware which parts of your site are vulnerable to attacks of this kind and be sure to filter all user input when you can't be a 100% sure the user is to be trusted.

CSRF
As of CI2.0 support for tokens is built in, this is explained on the bottom of the Security class docs. To learn more you can do a google search on "CSRF tokens" for protecting simple form submissions and actions done by URL. Or for AJAX operations search Google for "double cookie submission".

SPAM
Always protect your email forms, comment forms and any other kind of free user submitted data against spamming. The easy way is to only allow each IP/User agent to submit once every minute, while that doesn't protect against hackers & bots it does protect you against the usual internet trolls.
The best way is to use Captcha like reCAPTCHA to protect email & comment forms on your website. You can search the forums on how to intergrate reCAPTCHA with CI. CI2 also provides a CAPTCHA helper.

Performance
Write good clean code and understand your code, don't just copy paste the stuff others wrote and always look for ways to improve your code. Just never ever sacrifice security for performance. The PHP Style guide from the CodeIgniter manual is a very good place to learn to write better code.

DRY
Don't Repeat Yourself. Put shared code where it belongs: in libraries, helpers or models, but not in controllers. Definite rule of thumb: when you're copy-pasting code, you probably just put it in the wrong place for a second time.

Caching
Caching is a pretty good way to improve performance, especially the ammount of database operations needed can be scaled back easily by using cache. Take a look into page caching & database caching, and Caching drivers.

HTTP headers
On the client side you can improve performance by sending HTTP headers along that instruct the browser to keep your stuff in it's cache. This is also good to read up on when using AJAX because you'll need to disable browser-cache for those operations. Google it!

Example for AJAX return data (that shouldn't be browser-cached at all):
Code:
$this->output->set_header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
$this->output->set_header("Cache-Control: no-store, no-cache, must-revalidate");
$this->output->set_header("Cache-Control: post-check=0, pre-check=0", false);
$this->output->set_header("Pragma: no-cache");

Example for things that should be kept for a long time (like css, javascripts):
Code:
$this->output->set_header('Cache-Control: private, pre-check=0, post-check=0, max-age=2592000');
$this->output->set_header('Expires: ' . gmstrftime("%a, %d %b %Y %H:%M:%S GMT", time() + 2592000));
$this->output->set_header('Last-Modified: ' . gmstrftime("%a, %d %b %Y %H:%M:%S GMT", time() - 20));

Database access & ORM
CodeIgniter has a library called Active Record (AR) that can help you write your queries without writing any SQL. It's pretty powerful and the better way to go when you're no SQL expert or aren't sure how to protect your queries against SQL injections.

When you need more power an Object Relational Mapper (ORM) might be the thing for you, and while CI doesn't come with an ORM there are some options out there that are all very good.
The most populair is probably DataMapper OverZealous Edition (DMZ). Others are Doctrine (there's a tutorial on PHP and stuff) and RapidDataMapper.

User auth & ACL
A very much debated topic since it doesn't come with CI and there are as many who think it should, as there are who think the opposite. All I can advise you on this is to search the forums and look for a system that's still active, has good security and that intergrates easily into your application. Or research the examples and write your own.

At this point I would recommend Ion Auth, it's very well written and probably alot better than you'd write on your first try. And if you are planning on writing your own, read through it for inspiration.

Anything else?
Search the forums and the wiki, and if you can't find it you can always ask.

Did I forget anything or get anything wrong? Reply and I'll look into into it.


Messages In This Thread
Starting with CodeIgniter setup: suggestions & best practices - by El Forum - 08-08-2009, 11:59 AM



Theme © iAndrew 2016 - Forum software by © MyBB