Hi All,
It seems like the protections in CI are pretty good. From what I can see/read:
Remote execution: This can be handled with careful crafting of htaccess and the fact that CI files all start with the "no direct script access" code.
SQL injection: Seems to be handled by the post methods in CI which filters for this. Is this correct?
XSS attacks. Seems to be a built in filter in CI takes care of this.
I also see the DB class has escape functions.
So all the posts on the web about needing/requiring PDO seem like perhaps CI can take care of most all concerns.
What else are people doing?
My plans for our site are:
1) Registrations will be protected so that the same IP can't flood the system with registration requests. IE registering too fast.
2) Registrations require a valid email to complete or they automatically delete in 7 days.
3) I plan to use all hints in CI about how to fill data in SQL statements to prevent security holes
4) MD5 for passwords
etc.
Just wondering what the masses using CI are doing as well to make robust strong sites.
thanks in advance!
