Welcome Guest, Not a member yet? Register   Sign In
Benefit of using CI - an honest question

SSL encrypts the connection between the user and the server. This prevents information transmitted over the connection from being intercepted by a third party. For this reason, it is important to use SSL when performing user authentication (to protect their username and password while it is in transit from their browser to your server).

When storing passwords, they should be encrypted. This prevents an attacker from getting a list of username/password combinations if the server is compromised (at least they will have to use some time/resources to crack the passwords).

Filtering and validation needs to be used on all user input, not just registration and login. The potential value of the data which may be available by compromising a site is based primarily on the number of users on the site. Once this hits a certain point, it may be worthwhile to an attacker to register an account if they believe they can get access to a form on the site which will be vulnerable to attack. Registration and login are important simply because they are often targeted by scripted attacks which are not necessarily targeting your site specifically, but are just looking for vulnerable sites in general.

Why is any of this important if you are only storing email addresses, usernames, and passwords? Because people re-use their passwords, no matter how often they are told not to do so. The password they use on your site might even be the same password they use to access the email address stored in your database. Once a list of username/password combinations is extracted from one site, an attacker can try those credentials on any number of other sites (in most cases, they'll probably start with the most obvious and lucrative sites, like webmail and banks).

None of this requires you to use a framework to build your site. SSL is, more or less, just a change in the configuration of the web server and a modification to the protocol on the URLs in your links. The benefit of using a framework or an existing library to handle input filtering/validation (and don't forget to escape the output) and user management/authentication/authorization is that the framework/library is more likely to use code which has been tested, reviewed, and revised for improved security. It is not a guarantee (and CodeIgniter doesn't have a built-in library for much of this functionality), but it is more likely to be the case than when attempting to build similar code yourself.

Messages In This Thread
RE: Benefit of using CI - an honest question - by mwhitney - 02-06-2015, 10:53 AM

Theme © iAndrew 2016 - Forum software by © MyBB