Welcome Guest, Not a member yet? Register   Sign In
Security with CI
#1

My first CI web app is now at the final stages. I've been reading articles about security for a while, especially the last couple of days. But now I want to seriously understand what the risks are specifically re: the CI 3.1.2 framework I'm using. I'd like to understand what I need to do to make this app as secure as possible.

In this app there is no important user information like credit card numbers or social security numbers used, much less stored in the db (MySql). But I'd like to be sure my app does not become a path into to my users' computer by others - or endanger my users' security in any other way.

Currently I am using query builder (in models) for all my db transactions. I am using XSS filtering and form validation in the logon controller. I expect I should add XSS filtering for all other user input instances as a matter of course. So far I can't wrap my brain around  CSRF filtering and so hesitate to use it. I have no forms except for logon. All user events, mostly mouse clicks on elements, are reqistered with js/jq code and I use $(posts)'s and controller echoes for communicating with the server.

Ideally, I'd like to find an article that says

a) here are the risks for any web app. (I've actually read several of those.)
b) here's the risks that CI mitigates or eliminates automatically if you use . . . . And
c) here are the risks that I definitely need to competently configure my code to deal with-  and perhaps advice on best practices.

Ideally, some of you longtime CI users know about a good article, book, video lecture or course like this out there someplace. If not maybe you could point me in whatever direction might get me headed where I'd like to go. Thanks in advance for any wisdom you could pass along.
Reply
#2

Yes I would like this as well. In particular, the xss_clean function, which seems to have some confusion around it, regarding whether or not it is still supported. Apparently you are supposed to filter for xss on output, but does CI include any function for this?
Reply
#3

(This post was last modified: 03-28-2018, 11:24 AM by jreklund.)

You should not use xss_clean on input
https://www.codeigniter.com/user_guide/i...ation-rule

Use html_escape on output instead
https://www.codeigniter.com/user_guide/g...tml_escape

If you need users to submit html use
http://htmlpurifier.org/

If users submit data with AJAX they are till vulnerable to CSRF, so please add that.
Reply
#4

This is a great site for php security etc;

PARAGON INITIATIVE
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#5

I checked for replies for the first few days but gave up. Just checked back again now and found these 3. So, thanks much for the replies. They are all useful. Since then I also found this one titled:

"8 practices to secure your webapp" at sitepoint.com

It doesn't explain how to do it in any depth and is not focused on CI but it seems like an attempt to cover all the bases.

https://www.sitepoint.com/8-practices-to...r-web-app/
Reply
#6

First thing I would do is to upgrade to the new version of CodeIgniter 3.1.8

That's one way to keep your app secure.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#7

I just ran across a great article on web app security at this site

It's clear, concise and aimed directly at CI based apps.

or use https://www.monitis.com/blog/codeigniter-security-tips/

This is exactly the type of info I was looking for.
Reply
#8

(05-01-2018, 11:47 AM)codeguy Wrote: I just ran across a great article on web app security at this site

It's clear, concise and aimed directly at CI based apps.

or use https://www.monitis.com/blog/codeigniter-security-tips/

This is exactly the type of info I was looking for.

That article is total BS.
Reply
#9

(05-01-2018, 01:50 PM)Narf Wrote:
(05-01-2018, 11:47 AM)codeguy Wrote: I just ran across a great article on web app security at this site

It's clear, concise and aimed directly at CI based apps.

or use https://www.monitis.com/blog/codeigniter-security-tips/

This is exactly the type of info I was looking for.

That article is total BS.

This part is my favorite:


Quote:When it comes to storing passwords, the MD5 algorithm should be used to encrypt passwords.
Reply
#10

(05-01-2018, 02:40 PM)skunkbad Wrote:
(05-01-2018, 01:50 PM)Narf Wrote:
(05-01-2018, 11:47 AM)codeguy Wrote: I just ran across a great article on web app security at this site

It's clear, concise and aimed directly at CI based apps.

or use https://www.monitis.com/blog/codeigniter-security-tips/

This is exactly the type of info I was looking for.

That article is total BS.

This part is my favorite:


Quote:When it comes to storing passwords, the MD5 algorithm should be used to encrypt passwords.


But if MD5 is encrypting the passwords, then how do I decrypt it to check if the users password is correct or to send the user the password via a forgot password function in plain-text?
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply




Theme © iAndrew 2016 - Forum software by © MyBB