CodeIgniter Forums
Can i use this Ci Starter. Is it safe? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forum-6.html)
+--- Forum: CodeIgniter 3.x (https://forum.codeigniter.com/forum-17.html)
+--- Thread: Can i use this Ci Starter. Is it safe? (/thread-1377.html)

Pages: 1 2


Can i use this Ci Starter. Is it safe? - Vimal - 03-04-2015

Its seems better for me.
But i have doubt about it.
Like..So many library included there. Is it good??..What if i dont need some of them. Smile
Can i update directly in new version of ci.
Can it's chance to break my code??? Smile

Library is
https://github.com/ivantcholakov/starter-public-edition-4/


RE: Can i use this Ci Starter. Is it safe? - Avenirer - 03-04-2015

As I know, Ivan Tcholakov does a good work with that starter.


RE: Can i use this Ci Starter. Is it safe? - Vimal - 03-05-2015

Yep. absolutly Smile more than good Smile


RE: Can i use this Ci Starter. Is it safe? - ivantcholakov - 03-05-2015

@Vimal

I am running a small business using this starter, so I am doing my best. Yes, there is much third-party stuff bundled, but anyway, if you are going to do something not quite simple, you would be forced to collect the additional stuff alone. I want everything I need out-of-the-box, this is how I see the benefit of this starter.

When the official release of CodeIgniter 3 is out I will make a stable release almost immediately. If you pick the last release candidate it would be good enough for starting a project.


RE: Can i use this Ci Starter. Is it safe? - Vimal - 03-05-2015

@ivantcholakov
Thanx for creating this amazing library Smile Its saved my lots of works. You are right about third party lib.I just asking that is updating this starter as easy as codeigniter ???Means Override System folder like. ??


RE: Can i use this Ci Starter. Is it safe? - ivantcholakov - 03-05-2015

Yes, I upgrade everywhere gradually, including the CodeIgniter's system folder. Some of the files within the system folder are modified by me.


RE: Can i use this Ci Starter. Is it safe? - Vimal - 03-05-2015

I think Modification in system folder not good idea.Smile
If you will decide to no longer maintain this starter than it will be problem for me(may be).


RE: Can i use this Ci Starter. Is it safe? - ivantcholakov - 03-05-2015

I know, modification of system/ is not a good idea, I don't afraid of it however, it is not a taboo for me. In the future releases I'll minimize the number my tweaks there, but some modifications will stay inevitably. My priority is the rich set of features, the pro-business orientation, formal rules come at the second place.

For example, the possibility of having non-MVC pages is very useful for rewriting sites from plain PHP to CodeIgniter-based code. "Parsers as drivers" is another powerful feature, I suppose it will be implemented by CodeIgniter in the future.

Another handy for now feature is supporting the old CI 2.x file/class naming convention for easing the migration of existing code to CI 3. At some next major release I will remove this tweak, when it will be no longer necessary.

Of course, you have your right to disagree with my approach, it is ok.

By the way, it is not necessary to follow exactly my code examples that exploit the additional features. No new feature is mandatory, you can white your code in pure CodeIgniter way, it will work.


RE: Can i use this Ci Starter. Is it safe? - Narf - 03-05-2015

I took a quick look at it, looking for the first security-related thing that I can find ... This is not safe:

https://github.com/ivantcholakov/starter-public-edition-4/blob/74377fb539aa5bab93cf7f816666a2407d5a350c/platform/common/libraries/Password.php

Passwords must be hashed, not encrypted.

Encryption is a two-way process and anybody who may gain access to the encryption key will also have immediate access to all passwords processed by that library. This also means that the website owner has access to all users' passwords in plain-text.
Hashing on the other hand, is a one-way process and using an appropriate algorithm like BCrypt guarantees that the user who supplied the password is the only one who will ever know it.

@ivantcholakov

It seems to me that you took my last criticism towards you way too hard (you've been practically silent on github since) ... it wasn't with bad intentions. So now I want to explicitly say that this now is not with any malice either.

IIRC I've already criticized the GibberishAES library in another thread here ... I don't remember what it was about, but you've obviously not only ignored my comments, but you're also using it in an extremely inappropriate way.
I'm all fine if you just disagree with me on one thing and do it your own way for yourself, but when it comes to security - please, really, if you disagree with me - ask a security expert. What you did here can be a real disaster ... if you're already using this solution, I strongly advise you to replace it immediately.


RE: Can i use this Ci Starter. Is it safe? - ivantcholakov - 03-05-2015

@Narf

First of all, I have nothing against you, your job is incredible. I am silent recently because I am finishing a difficult project.

"Passwords must be hashed, not encrypted." - yes, I know that. I hash the users' passwords. But for example, I want to store a SMTP-password for the site mailer within the database as a setting - it needs to be decrypted before usage. So, the Password library gives both of the options. I will add some comments within the library in order it to be used properly.

About the GibberishAES class (alone) I don't have a disagreement, because I don't know what it supposed to be about. :-) You were not specific. http://forum.codeigniter.com/thread-53.html