| Securing my first CI website |
[eluser]DumpProgrammer[/eluser]
I am almost finished on my website and I now need to secure the site because the tutorial I followed did not offer any security information at all and was taking input and directly storing it into the Database without any filtering. I just wanted to know if I set this to true Quote:$config['global_xss_filtering'] = TRUE;then that means all input is filtered. So if I do that then all I need to do is perform a few additional measures like the links to my post to make sure they accept only numbers and also redirect users back to main page?
[eluser]Maglok[/eluser]
User_guide has this to say: Quote:CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since you may not need it in all cases. So if you can and want to take the performance hit, go for it. 
[eluser]JoostV[/eluser]
In addition, global_xss_filtering only filters against XSS attacks. There are numerous more vulnerabilities you should guard your app against: CSRF & SQL injection, session hijacking, PHP code inclusion, etc. Not to mention configuration vulnerabilities such as register_globals = on, which is still default on some shared hosts. Google for PHP security And never, ever forget to filter input, escape output. Have fun
[eluser]DumpProgrammer[/eluser]
Thanks for the help. I just need to know so even if I use xss_clean(myinput)is that still going to affect performance?
[eluser]Jelmer[/eluser]
Every function call you make will affect performance, as the saying goes: there's no such thing as a free lunch. I would not turn it off globally for another reason though: CI also processes data from my CMS and from time to time I want to use javascript or flash. XSS filtering will eliminate those from the input of my editing forms and as such I couldn't add it to my site through any normal means. Use XSS filtering when you need it. It's visitors and maybe editors with limited permissions that should have their input filtered, but admins shouldn't.
[eluser]DumpProgrammer[/eluser]
Thanks Jelmer because its a news website but will also have a comments section by regular users so for the comments I am not using Wysiwyg so thats where my main worries where as for the other articles will be provided for by assigned users and if I had XSS filtering I think that would affect the TinyMce that I am using(but I had got to that stage yet so I didnt try it).
[eluser]Jelmer[/eluser]
There's no problem using TinyMCE when input filtering is switched on. The filter is for the post/get/cookie variables (ie. everything send to your website by the visitor). Remember something else as well: using TinyMCE only changes the appearance of a textarea, but behind the scenes it's still just a textarea and you should treat it as such. It's not any more or less dangerous than a normal field, but you should think a little bit more about what you filter it for. When the TinyMCE enabled form is used by trusted users I wouldn't filter it for stuff like javascript and flash because I might want a flash movie or javascript mouse-over effect. Bottom line: using XSS filtering only effects what happens with the output of TinyMCE, not what happens with TinyMCE itself.
[eluser]jbreitweiser[/eluser]
Also search for OWASP. They have a really good publication about securing web applications. They are not PHP specific but the document is very good.. http://www.owasp.org/index.php/Category:...de_Project http://www.owasp.org/index.php/Guide_Table_of_Contents
|
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
