Welcome Guest, Not a member yet? Register   Sign In
Benefit of using CI - an honest question
#1

Okay, so I have been working with the tutorials and user guide to learn how to use CI.  I have watched some online tutorials as well.  I understand the methods used, but I am not an expert PHP programmer.  I have used PHP for probably 10 or more years in my small web applications, so I am familiar with PHP.

I am presently working on my company website (small consulting/training company) in which I serve a couple of static pages but I am setting up a test taking section, which will be subscription based and serve pages which will allow a subscriber to register, pay (via paypal), authenticate via e-mail, login, build (configure) their test, take the test, and have the results of the test displayed (to include explanations and links to reference material).

I already have the code working through MAMP using mySQL as my database.  I was reading that I really should put all of this behind https, therefore I should use a FrameWork to build my site as an application.

Since I am not handling payments, nor is my information really private because I am only storing an expiring username, password, and e-mail.  I'm not even intending to store the subscriber's real name or other personal information.

Would it be simpler, and acceptable, to just use good filtering/validation on any text inputs when the subscriber is signing up or logging in?  I guess the other text input area would be any comments via a contact form.

I can pay my hosting service $60 for a year of SSL and put everything behind the SSL, which I don't even know if that is needed. But, how much do I need to worry about other security issues?

CI appears to be the most lightweight FrameWork I have found, so I am sure I can learn it, but I was hoping for an honest opinion from this experienced community as to what direction I should go.

Thank you!

Tom
Reply
#2

SSL encrypts the connection between the user and the server. This prevents information transmitted over the connection from being intercepted by a third party. For this reason, it is important to use SSL when performing user authentication (to protect their username and password while it is in transit from their browser to your server).

When storing passwords, they should be encrypted. This prevents an attacker from getting a list of username/password combinations if the server is compromised (at least they will have to use some time/resources to crack the passwords).

Filtering and validation needs to be used on all user input, not just registration and login. The potential value of the data which may be available by compromising a site is based primarily on the number of users on the site. Once this hits a certain point, it may be worthwhile to an attacker to register an account if they believe they can get access to a form on the site which will be vulnerable to attack. Registration and login are important simply because they are often targeted by scripted attacks which are not necessarily targeting your site specifically, but are just looking for vulnerable sites in general.

Why is any of this important if you are only storing email addresses, usernames, and passwords? Because people re-use their passwords, no matter how often they are told not to do so. The password they use on your site might even be the same password they use to access the email address stored in your database. Once a list of username/password combinations is extracted from one site, an attacker can try those credentials on any number of other sites (in most cases, they'll probably start with the most obvious and lucrative sites, like webmail and banks).

None of this requires you to use a framework to build your site. SSL is, more or less, just a change in the configuration of the web server and a modification to the protocol on the URLs in your links. The benefit of using a framework or an existing library to handle input filtering/validation (and don't forget to escape the output) and user management/authentication/authorization is that the framework/library is more likely to use code which has been tested, reviewed, and revised for improved security. It is not a guarantee (and CodeIgniter doesn't have a built-in library for much of this functionality), but it is more likely to be the case than when attempting to build similar code yourself.
Reply
#3

In my opinion, the amount of security you need is a function of both the probability of attack and the stakes involved. Do you need SSL? Well, what are the chances that someone might intercept a login attempt? Sites like Amazon or Wells Fargo are attractive, but is yours? And what are the consequences of someone unauthorized hacking into one of your users account?

As for encrypting passwords, sure. It's easy to do and doesn't cost anything. But in my experience of running small websites, the main benefit is that you don't know your users' passwords.

A bigger problem is bot-driven brute-force hack attempts, which can be constant if you use something like Word Press. I've had a WP site with a few photochop tutorial articles online for about a year now. It has no ads and doesn't register anywhere traffic wise. I've not once received a real comment, and yet I get 300-500 megabytes of traffic a month just from bots hammering at my wp-login.php page. I'm getting sick of that, so I'm looking for one of the many ways to limit login attempts, but without the cooperation of my host, those bots will still run up the traffic meter even if they dash themselves against a wall. But if you don't run WP and don't name your login page something obvious, you probably won't experience this.

Anyway, nothing about security has to do with whether or not you should use Codeigniter. I think that, once you're over Codeigniter's very low learning curve, it simplifies web development for anything beyond your basic five-page static website. You might also look into a lightweight CMS like Wolf CMS, which is a personal favorite though I'm not involved in its development in any way.
Hey, don't work without a PHP debugger. Several free IDEs have this features built in. Two are NetBeans and CodeLobster. Without a debugger, it's like you're driving with a blindfold on -- you are going to crash!
Reply
#4

(This post was last modified: 02-06-2015, 06:38 PM by Narf. Edit Reason: Fix a link ... I was thinking Markdown :) )

(02-06-2015, 06:24 PM)RobertSF Wrote: In my opinion, the amount of security you need is a function of both the probability of attack and the stakes involved. Do you need SSL? Well, what are the chances that someone might intercept a login attempt? Sites like Amazon or Wells Fargo are attractive, but is yours? And what are the consequences of someone unauthorized hacking into one of your users account?

As for encrypting passwords, sure. It's easy to do and doesn't cost anything. But in my experience of running small websites, the main benefit is that you don't know your users' passwords.

While this seems logical, it is a very dangerous thing to say, especially when giving advice - it's discouraging people to think about security. Especially your second paragraph, it sounds like you're suggesting that storing passwords in plain-text is OK - it is not, period.

It doesn't matter if you're building a teapot or banking software - security is a requirement, not something that you decide to have or not.
Reply
#5

(02-06-2015, 06:36 PM)Narf Wrote: While this seems logical, it is a very dangerous thing to say, especially when giving advice - it's discouraging people to think about security. Especially your second paragraph, it sounds like you're suggesting that storing passwords in plain-text is OK - it is not, period.

It doesn't matter if you're building a teapot or banking software - security is a requirement, not something that you decide to have or not.

If I didn't already know your opinion it would almost sound like you're making an argument for including an authentication library into CI. Smile
Authentication, not authorization.
Reply
#6

If you only need SSL, then you can just keep on keepin' on.  If you want to manage users, it sounds like you know your way around a database, but for keeping track of users I highly recommend you use CodeIgniter.  That was the main selling point for me, and especially now with CodeIgniter 3.x you can have both native and cookie drivers at your disposal.  It is easier to hack a cookie than it is your database, and CodeIgniter has cookies figured out, and I love them for it.  If you use BootPress (a shameless endorsement), then sessions, cookies, and user Authentication are all taken care of for you.  Ultimately, the only reason to use a framework is so that you don't have to code as much, and to make the code you do write more secure and less likely to break.  It is a good honest question you are asking.  I used to do everything my own way, but since using CodeIgniter I will never look back.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB