Login

05-12-2013, 08:11 AM

[eluser]RaGe10940[/eluser]
Going off what was said earlier,

you should be doing the following :

1) Always Sanitize your data. Most people will tell you to use the xss_clean but in my opinion you should stray away from that. I would rather suggest for you to use PHP's native functions :

http://www.php.net/manual/en/book.filter.php

Keep in mind though the CI - Validation is great so no need to use the PHP native validation functions.

But in general I would use the PHP sanitation functions.

2) The CSRF for CI Is pretty good if you ask me... (update the token regularly probably around 7200 seconds - 2hours) You can also use captcha...

3) Use PDO ... PLEASE....

http://ellislab.com/forums/viewthread/218455/

and

http://php.net/manual/en/book.pdo.php

4) For some reason CI doesn't mention this but there are two steps at fighting off XSS.. first its input validation -> filter input -> escape output...

For some reason CI (again idk why) uses a black list approach (which is arguably bad - not going to go in depth, use google) and doesn't escape data.

Using

Code:
htmlspecialchars($yourvariable, ENT_QUOTES, 'UTF-8');

can go a long way!

And sorry to hear about your SQL-Injection...

for more reading on PDO in CI

go to ci/system/database/drivers/pdo_driver.php

and set these variables :

Code:
function db_connect()

 {

  $this->options['PDO::ATTR_ERRMODE'] = PDO::ERRMODE_EXCEPTION;

  $this->options['PDO::ATTR_EMULATE_PREPARES'] = FALSE;

  return new PDO($this->hostname, $this->username, $this->password, $this->options);

 }

these are found around line 94 the emulate prepares will add another layer of database abstraction.

Also make sure to explicitly state a char_set. there are SQLi attacks that take advantage of even PDO because they use different char_sets.. you must explicitly state your char_set *your stating probably utf-8 which is good!*