| Protecting a CI site |
|
Hi All,
It seems like the protections in CI are pretty good. From what I can see/read: Remote execution: This can be handled with careful crafting of htaccess and the fact that CI files all start with the "no direct script access" code. SQL injection: Seems to be handled by the post methods in CI which filters for this. Is this correct? XSS attacks. Seems to be a built in filter in CI takes care of this. I also see the DB class has escape functions. So all the posts on the web about needing/requiring PDO seem like perhaps CI can take care of most all concerns. What else are people doing? My plans for our site are: 1) Registrations will be protected so that the same IP can't flood the system with registration requests. IE registering too fast. 2) Registrations require a valid email to complete or they automatically delete in 7 days. 3) I plan to use all hints in CI about how to fill data in SQL statements to prevent security holes 4) MD5 for passwords etc. Just wondering what the masses using CI are doing as well to make robust strong sites. thanks in advance!
Use https://
Secure Socket Layer. What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
(04-29-2019, 02:53 PM)MarkWS7M Wrote: Hi All, Don't use MD5 for hashing the password. Use a speacial php-functions password_hash and password_verify for that.
Yeah - don't use md5. You should go with bcrypt or argon2 as they provide more options to hash passwords. For example cost(10) is the standard cost for hashing passwords with bcrypt. Higher values result in stronger hashes but need more hardware power. I currently use bcrypt with cost of 14. Same for Argon2 algorythm, which provides options for "memory_cost", "time_cost" and "threads".
|
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
