[eluser]alboyd[/eluser]
Well that looks like an incredibly long winded way of doing things for a start. But apart from that did you load the security library?
But either way - scrap that!
Starting from the beginning:
1. For your login form, use the form_validation library to validate the user's input but also to xss_clean the input at the same time. Add the xss_clean to the validation rules;
Code:
$this->form_validation->set_rules('username', 'Username', 'required|trim|min_length[6]|max_length[20]|xss_clean');
2. In your model, when you query the login - use query bindings. These have the advantage in that the values are escaped for you. So now you have run the xss_clean filter and escaped your values. I'm a relative newby too but I'm under the impression this is good enough and safe enough to follow these rules.
Code:
function check_login($username, $password) {
$sha1_password = sha1($password);
$query_str = "SELECT user_id, username, name, email, create_date, email_confirmed, user_banned
FROM tbl_user
WHERE username = ?
AND password = ?
AND delete_date is NULL";
$query = $this->db->query($query_str, array($username, $sha1_password));
return $query;
}
I believe you don't really need to query bind the sha1_password because by performing sha1 on the user input you have also made it safe.