CodeIgniter Forums
The weakest points of CI in terms of security? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: The weakest points of CI in terms of security? (/thread-53489.html)



The weakest points of CI in terms of security? - El Forum - 07-26-2012

[eluser]term25[/eluser]
OK, I have moved appplication and system folder out of the root one level up, so it is not publically accessible. Assets stuff stay in root, because it is not a problem in my case, just bunch of css and images, nothing important.

Then I have used trim and xss_clean on all forms validation elements (inputs, select, textareas...)

My only worry (that I am aware of) is the controller part.

how can I be sure that e.g. if I have a controller called users

and there are methods to add, delete, edit etc.. Is the check that user is logged in and has a certain permission as an admin role to do such thing enough or is it possible to do it no matter if there is a check at the top of the controller for access only via admin?

What is your opinion? Is the parent check in controller if user is admin enough?

Can you recommend some good reading about CI security or a book specific to CI security?




The weakest points of CI in terms of security? - El Forum - 07-26-2012

[eluser]pickupman[/eluser]
Your questions aren't related to CI only, as these are security concerns for any web applications or programming languages. The benefit of CI, allows you to not having to recode the libraries or functions every time you start a project. Using CSFR would be another feature already CI that can improve security by not allowing outside users/bots/bad people submitting your urls. I am personally a fan of extending my controllers from base classes/custom MY_Controller (see signature). This allows you to create controllers that their constructs will check permissions for you automatically.

Another concept is obscuring the user id and/or not using it in the URIs. You can use a offset to obscure the user id. (Example: Multiple the user id by 3) Keep session information in the database, so cookies can not be manipulated. Just be sure to make sure that the user id/CSFR token/(user id in session) all are valid.


The weakest points of CI in terms of security? - El Forum - 07-26-2012

[eluser]term25[/eluser]
Thanks a lot I really appreciate your reply. A lot of useful info and knowledge, thanks.