[eluser]vincej[/eluser]
Thanks for that.
You are right, I had not done previously done enough to secure the site. I scanned the DB as too has my isp and it appears to be clean. I have added SSL, a 2 sec delay on login and strengthened the pw's. I have also tested the site for CSRF weakness with some tools from Security Compass and it came out clean. 90% of the queries are using AR. I'll update the ones who are not.
I was relying on CI for XSS and CSRF. Is that secure enough ? I have read that CI's xss_clean is not very effective.
CI's CSRF is giving me major problems with the ubiquitous "an error was detected the action you have requested is not allowed." on a page where I have some AJAX, so I have had to turn it off until I can find a fix. Any ideas on that ?
Thanks !