How robust/(un)safe is CI

[eluser]johnman[/eluser]
I am a new user and i don't want to flame CI since i really like it a lot. But i personally think safety of any framework should be the prime concern so forgive me if i sound blunt. Its just because i want to get some clarity about this subject.

So far i am very impressed with how smooth everything goes with CI, but i am very worried about its robustness and safety. In a very recent topic (http://ellislab.com/forums/viewthread/53203/P0/) someone noted CI is NOT always escaping properly which can be a huge security risk (if i am not mistaken). The reason i am worried is because my assumption that CI was making my web-system safer might be incorrect. Now i believe the biggest security risk is actually CI itself. The escaping bug is very easy to see, even if you just briefly glance at the code, very easy to fix, but it is still in the current release. That makes me wonder how good the quality of the rest of the code is. Has it been reviewed by other professional people? How has it been used and tested ?

The second question is about the callback validation functions. You can use i.e. callback_username_check as a parameter for the validation class. So you need to make the function username_check for checking which is a PUBLIC function and therefore can be called from the browser. Shouldn't this function be private? I know you can fix it by using a double underscore, but this should at least be mentioned in the userguide. I'm not a real php programmer so i might be wrong but currently i come to the conclusion this is actually a design fault. It would be safer to have all functions private unless you explicitly make them public.

I only used CI intensively for a couple of days but if these 2 problems already arise, i am worried about how much more problems i am unaware of. I hope one of the developers can give some clarity about how much of a priority security is to them.
And please don't think this is some sort of rant for not supplying the update we all needed yesterday. I just try to give some context on why i am worried and reluctant to use CI as a framework.

[eluser]Flayra[/eluser]
These problems generally only occur when the DEVELOPER is unaware. For instance, using the callback function you could simply call it 'callback__username_check' and then it would use the method '_username_check' which is not publically available. Another option is to simply use PHP and call it private, but then it simply returns an error instead of a 404.

For most uses, CI is as (un)safe as programming PHP from scratch, except it speeds up development a lot.

[eluser]johnman[/eluser]
Thats true, but i was just following the user guide and at first didn't realize i was making my functions public. As a developer i should know my tools, but as a framework you guys can make it the developers a little easier sometimes . Anyway, i think would let the callback function call a underscored function by default, however this will brake compatibility with older versions.

[eluser]kgill[/eluser]
Just a quick addition here regarding validation callback functions - yes they're public but how is that a security risk?

An attacker can manipulate the URL to call one but they gain nothing by it. The function returns a boolean, that value is not viewable unless you did something silly like echo it out. So at most they can pass some value to your callback and get a blank page back. The value returned by the function is only useful to other PHP code executing it and if the attacker has the ability to execute code on your server a callback function is the least of your worries at that point. The only possible problem is someone not putting the proper checks on the input to the callback and just executing a call to the database with it, in which case it comes back to what Flayra said, that's a problem with the developer and not the framework.

- K

[eluser]johnman[/eluser]
The public validity check functions are not a safety issue on its own. With normal code that is not a really big risk. Still i think its better (in general) to hide everything to the users as much as possible. Security can't never be good enough. Together with other issues/bad coding it can form a risk.

But i also started this thread to see if there are any other pitfalls to the novice user. I just stumbled on these 2 so maybe there are some other things also.

Don't get me wrong, i REALLY like CI and i am glad i started with this framework . It makes me develop better and more efficiently.