| Security Issues (input and output) |
|
The following is a good place to start, with some links to other solid guides to security in PHP projects:
http://www.phptherightway.com/#security For CI-specific information, the user guide is a good resource/reference, but doesn't provide a lot of specifics on securing your site/application. I would recommend enabling CSRF protection. If you plan to use AJAX on your site, you'll probably need to use `$this->security->get_csrf_token_name()` and `$this->security->get_csrf_hash()` to pass the necessary token/hash to your client-side code. More often than not, people encounter CSRF errors when they implement AJAX code on their site and simply disable the feature, rather than figuring out how to get it to work. Use `xss_clean()` only when outputting data via HTML. Do not save the output of `xss_clean()` to your database or other data store (except, possibly, for short-term output caching). Do not use `xss_clean()` when outputting data in JSON, URLs, etc. `xss_clean` should never be used as a validation rule or otherwise in processing input from a form (e.g. `xss_clean($this->input->post('example'))` should never happen). HTML Purifier is a good alternative to `xss_clean()`. `html_escape()` is a CI-specific shortcut to `htmlspecialchars()` which sets some sane defaults, including using the character set configured for the site. When it comes down to when and where to use each of the available functions, it's going to be highly dependent on context and the data you're dealing with. It's a huge subject, which is why I linked to other sources for that information. Something to remember when reading about application security is that input is not just data supplied by the user in a form or URL. Input is also the data you retrieve from your database, receive from an API, or even from another part of your application in some circumstances. The same applies to output. Output is data you write to the database, text you place into an HTML page, an email, a JSON object, or you pass to another part of your application in a function call. It's far too common for people to limit their vision of input and output, leading to applying techniques in the wrong place, or incorrectly assuming that data is secure. |
| Messages In This Thread |
|
Security Issues (input and output) - by raghavgarg - 04-23-2016, 05:19 PM
RE: Security Issues (input and output) - by wishmaster - 04-25-2016, 12:32 PM
RE: Security Issues (input and output) - by mwhitney - 04-26-2016, 09:55 AM
RE: Security Issues (input and output) - by CINewb - 04-29-2016, 07:18 AM
RE: Security Issues (input and output) - by raghavgarg - 04-29-2016, 02:52 PM
|
