MY_Form_Validation w/ spam and CSRF protection

[eluser]n0xie[/eluser]
The first thing to acknowledge is that in my experience, most people do destructive things often via GET. This is inherently wrong but you should emphasize this: never do anything destructive via GET, always use POST. I would like to make this point clear since your 'library' only deals with POST data. Your site would still be easily exploitable if you had url's like http://domain.tld/user/delete/12345 which would delete user 12345. Always keep this in mind when talking about CSRF: most people don't know how it works and assume a 'library' like this will magically protect their site against any form of CSRF attack.

Code:

md5('nonce' . $this->CI->input->ip_address() . microtime());

This has way too low entropy to be effective. If I know what my target's IP is (which I can read with javascript) and I know this is the algorithm used to generate the nonce (which would be pretty obvious if it was an open source CI project), I can easily generate a matching nonce since microtime returns the current timestamp. I just have to generate every timestamp for the next minute (since the IP doesn't change) and one of those will most likely generate a match especially since the field you use always has the name 'nonce'. Basically this gives you about 60 different nonces per minute (1 for each second) which is way too low. Any modern computer takes less than a second to calculate these 60 MD5 hashes.

If you want an effective CSRF protection take a look at the example Controller of Ion Auth where I added a simple nonce implementation in the deactivate method.