Welcome Guest, Not a member yet? Register   Sign In
Good Validation Practice and Security
#1

[eluser]porangi[/eluser]
Hi,

Still loving codeigniter and almost about to release my first fully fledged application (Multi-lingual member-only streaming media service) written in it. The trouble with all learning is that at the end of one journey you suffer from hindsight and the what-ifs of if I could do it all over again but I guess that's life.

Anyway, I'm paranoid about it being secure, nothing is more embarrassing than unhappy clients asking why their site now says 'Turkish Hacker' (or similar, I'm not picking on people from Turkey, just that was the source of my last unfortunate Joomla experience - disabled 3rd party plugin left installed with a big fat security hole.)

So I have two questions :-

1) Do other people bother to validate hidden id fields when updating records. I am using a validation config array but then if validation fails I could be returning to an update form with an invalid id that I can't use - arghhhh, confusion!

2) What security scanners do people try on their sites. I've used Websecurify which seems to work OK and I've also tried skipfish but get more errors than I can handle.

Anyway, if anyone has experience in this area or even opinions they would like to share I'd be grateful.

Happy Days

Chris
#2

[eluser]InsiteFX[/eluser]
If your index.php was hacked, you should make sure that it has it chmod settings 644.

Correct chmod Permissions:

Permissions for world-readable (but not world-writable) folders are 755 (rwxr-xr-x).
Here is one thing I do!

Permissions for world-readable files are 644 (rw-r--r--).

A folder needs 777 permissions if PHP needs to
a) dynamically create new files in it, or
b) delete existing files from it.

There are only two situations where world needs write access (777 / 666),
and both only apply if your server is configured with PHP as an Apache module:

A file needs 666 permissions if PHP needs to
a) open the file and write data into it, or
b) copy another file to the directory entry currently occupied by this file.

As far as security scanners I am not sure what others are using!

1)
One big mistake I see users making is this
In all classes, models and libraries this should be on top not just <?php!
Code:
<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

2)
All directories and sub-directories should contain a copy of the CodeIgniter index.html file!

InsiteFX




Theme © iAndrew 2016 - Forum software by © MyBB