CodeIgniter Forums

Full Version: Protecting a CI site
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi All,

It seems like the protections in CI are pretty good.  From what I can see/read:

Remote execution:  This can be handled with careful crafting of htaccess and the fact that CI files all start with the "no direct script access" code.

SQL injection:  Seems to be handled by the post methods in CI which filters for this.  Is this correct?

XSS attacks.  Seems to be a built in filter in CI takes care of this.

I also see the DB class has escape functions.  

So all the posts on the web about needing/requiring PDO seem like perhaps CI can take care of most all concerns.

What else are people doing?

My plans for our site are:

1) Registrations will be protected so that the same IP can't flood the system with registration requests.  IE registering too fast.
2) Registrations require a valid email to complete or they automatically delete in 7 days.
3) I plan to use all hints in CI about how to fill data in SQL statements to prevent security holes
4) MD5 for passwords
etc.

Just wondering what the masses using CI are doing as well to make robust strong sites.

thanks in advance!
Use https://

Secure Socket Layer.
(04-29-2019, 03:53 PM)MarkWS7M Wrote: [ -> ]Hi All,

It seems like the protections in CI are pretty good.  From what I can see/read:

Remote execution:  This can be handled with careful crafting of htaccess and the fact that CI files all start with the "no direct script access" code.

SQL injection:  Seems to be handled by the post methods in CI which filters for this.  Is this correct?

XSS attacks.  Seems to be a built in filter in CI takes care of this.

I also see the DB class has escape functions.  

So all the posts on the web about needing/requiring PDO seem like perhaps CI can take care of most all concerns.

What else are people doing?

My plans for our site are:

1) Registrations will be protected so that the same IP can't flood the system with registration requests.  IE registering too fast.
2) Registrations require a valid email to complete or they automatically delete in 7 days.
3) I plan to use all hints in CI about how to fill data in SQL statements to prevent security holes
4) MD5 for passwords
etc.

Just wondering what the masses using CI are doing as well to make robust strong sites.

thanks in advance!


Don't use MD5 for hashing the password.  Use a speacial php-functions password_hash and password_verify for that.
Yeah - don't use md5. You should go with bcrypt or argon2 as they provide more options to hash passwords. For example cost(10) is the standard cost for hashing passwords with bcrypt. Higher values result in stronger hashes but need more hardware power. I currently use bcrypt with cost of 14. Same for Argon2 algorythm, which provides options for "memory_cost", "time_cost" and "threads".