Login

risk · 07-27-2022, 04:10 AM

Hey,
I'm quite new to codeigniter and am now trying to secure my form against all possible attacks.
This is how my form looks like:

Code:
<?= form_open('auth/registerUser') ?>

            <div class="container">

                <h1>Registrieren</h1>

                <?php

                    if(!empty(session()->getFlashData('fail')))

                    {

                    ?>

                        <div class="alert">

                            <?= session()->getFlashData('fail') ?>

                        </div>

                    <?php

                    }

                ?>

                <hr>

                <label class="label" for="username"><b>Benutzername</b></label>

                <span class="text-danger"><?= isset($validation) ? '<br>' . display_form_errors($validation, 'username') : '' ?> </span>

                <?= form_input('username', set_value('username'), ['placeholder'=>'Benutzernamen eingeben'], 'text') ?>

                <label class="label" for="email"><b>Email</b></label>

                <span class="text-danger"><?= isset($validation) ? '<br>' . display_form_errors($validation, 'email') : '' ?> </span>

                <?= form_input('email', set_value('email'), ['placeholder'=>'Email eingeben'], 'text') ?>

                <label class="label" for="password"><b>Passwort</b></label>

                <span class="text-danger"><?= isset($validation) ? '<br>' . display_form_errors($validation, 'password') : '' ?> </span>

                <?= form_input('password', set_value('password'), ['placeholder'=>'Passwort eingeben'], 'password') ?>

                <label class="label" for="passwordConf"><b>Passwort wiederholen</b></label>

                <span class="text-danger"><?= isset($validation) ? '<br>' . display_form_errors($validation, 'passwordConf') : '' ?> </span>

                <?= form_input('passwordConf', set_value('passwordConf'), ['placeholder'=>'Passwort erneut eingeben'], 'text') ?>

                <hr>

                <p>Durch die Registrierung stimmst du unseren <a href="#">Nutzungsbedingungen</a> zu. 

                <br>In unserer Datenrichtlinie erfährst du, wie wir deine Daten erfassen, verwenden und teilen.</p>

                <button type="submit" class="registerbtn">Registrieren</button>

            </div>

            <div class="container signin">

                <p>Bereits registriert? <a href="<?= base_url('login') ?>">Einloggen</a>.</p>

            </div>

        <?= form_close() ?>

and this is how my php code to validate the data looks like:

PHP Code:
public function registerUser()
    {
        $validated = $this->validate([
            'username' => [
                'rules' => 'required',
                'errors' => [
                    'required' => 'Bitte geben Sie Ihren Benutzernamen an'
                ]
            ],
            'email' => [
                'rules' => 'required|valid_email',
                'errors' => [
                    'required' => 'Bitte geben Sie Ihre Email Adresse an',
                    'valid_email' => 'Bitte geben Sie eine gültige Email Adresse an'
                ]
            ],
            'password' => [
                'rules' => 'required|min_length[5]',
                'errors' => [
                    'required' => 'Bitte geben Sie Ihr Passwort an',
                    'min_length' => 'Ihr Passwort muss mindestens 5 Zeichen lang sein'
                ]
            ],
            'passwordConf' => [
                'rules' => 'required|matches[password]',
                'errors' => [
                    'required' => 'Bitte bestätigen Sie Ihr Passwort',
                    'matches' => 'Ihre Passwörter stimmen nicht überein'
                ]
            ],
        ]);

        if(!$validated)
        {
            return view('Auth/register', ['validation' => $this->validator]);
        }

        //save user
        $userModel = new UserModel();

        $name = $this->request->getPost('username');
        $email = $this->request->getPost('email');
        $password = $this->request->getPost('password');
        $passwordConf = $this->request->getPost('passwordConf');


        $data = [
            'Username' => $name,
            'Email' => $email,
            'Password' => Hash::encrypt($password)
        ];


      $query = $userModel->insert($data);

        //print_r($data);

        if(!$query)
        {
            return redirect()->back()->with('fail', 'Registrierung fehlgeschlagen');
        }
        else
        {
            return redirect()->to('login');
        }

        $data['page_title'] = "registerUser";
        return view('Auth/register', $data);
    } 

are there some security issues?
Currently when I enter a username like: <h1> test </h1> it gets changed to <h1> test </h1>
How can I avoid this changement without security issues? Or how could I add blacklisted characters?

**InsiteFX** · 07-28-2022, 01:04 AM

Please read this in the CodeIgniter Users Guide.

CodeIgniter Users Guide - Build Your First Application

See: the part about Create News Items.

What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009. ( Skype: insitfx )

captain-sensible · 07-28-2022, 01:05 AM

As nobody has answered i will throw something in:

Code:
<?= $this->extend('layout') ?>

<?= $this->section('content') ?>

<div class ="flex2">

<div class ="content">

<div class="d-flex justify-content-center">

<?=form_open('contact') ?>

<?= csrf_field() ?>

      <input type="hidden"  name="honeypot" value=""/><br>

     <!-- above is hidden field honeypot to filter out bots -->

 <div class="form-group"> 

     <label for="theirName">Name</label>

    <input type="input" name="name" id ="theirName" class="form-control"/><br />

     </div>

For the term "security" my approach looks at any abuse to form and likely threat but with a modicum of a reality check

I use bootstrap so my form fields start and end with form-group

lets have a look at my experience with issues
1) The most prevalent abuse is spam. IN my form i only want their name , email to get back to them and a brief message.Spammers almost always include a url link to some product. So in regard to this , i use

Code:
$message= $this->request->getVar('message');

you can also use :

$cleanName= htmlentities( $this->request->getVar('name'));

on the message part. I send the all text into a method parameter to check for "key words" and url. If any ware found it evokes a re-direct to a view containing an audio tape which outputs Montpython "Spam , Spam "
2) The other possible abuse might be from bots , so there is a bot field in form
3) When i ran owasp program it mainly came up with csrf . With a web that has relatively few hits the risk of attack must be less than a site than a million or so. I put a csrf field into form.

with both honeypot and csrf you have to enable use . See docs. I have never experienced any other thing with form to worry about in reality

for web dev on local host i've used this before : https://www.zaproxy.org/getting-started/

CMS CI4 A CMS system, runs out of the box written on top of CI4

Arch Book CodeIgniter4 on Apache(pages 92-114)

CI4-CMS Github