Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Questions about security
Questions about security
  • El Forum
    Guest
  •  
#1
07-14-2011, 12:00 PM

[eluser]riceman[/eluser]
I am new to this framework - and like to know more.

Does the database integration / API use prepared statements. Or what prevents SQL injection attacks?

Never trust variables from the browser : )

Is there any filter functions to validate or sanitize GET / POST data?

Thanks you : )
  • El Forum
    Guest
  •  
#2
07-14-2011, 12:23 PM

[eluser]Refringe[/eluser]
Quote:Does the database integration / API use prepared statements. Or what prevents SQL injection attacks?

If you read up and use the Active Record Class properly there should be no way to inject anything into a query as the parameters are binded, not concatenated to the query.

Quote:Is there any filter functions to validate or sanitize GET / POST data?

There is filtering built into the Input Class which does the job for smaller projects, but if you're working on a really serious project I would recommend dropping in the HTML Purifier class and using that. The filter in the Input Class is fast but less secure, and HTML Purifier is dead slow but super secure. It's a cost benefit trade-off that you as the developer have to make.

It's a great, well thought out framework with a hell of a community. Give it a shot.
  • El Forum
    Guest
  •  
#3
07-14-2011, 12:46 PM

[eluser]riceman[/eluser]
Thx I will get into it then. Yeah HTML purifier or KSES (used by WordPress) could do the job - I am about to build an application were security is an high priority. So I will take the lower performance pill.

Have you build a site with a lot of users? What is your experience? Are you constantly changing things due to hacking attempts?

Have you any server down time?
  • El Forum
    Guest
  •  
#4
07-14-2011, 01:14 PM

[eluser]Refringe[/eluser]
I've been working with PHP for about 7 years, and CI for just about 2 now. I mostly do client work and the few sites that I have built on the side haven't been very popular. Regardless, to my knowledge, I've never been a victim of a serious injection/hacking attempt.

My Linode server has been up for 162 days--when it was first booted. Smile
  • El Forum
    Guest
  •  
#5
07-14-2011, 02:14 PM

[eluser]riceman[/eluser]
If you have worked with CI for 2 years and you are still here it can't be all that bad.

I also like the idea of integrating it with Dotrine.

162 days and counting - cool :-)




Theme © iAndrew 2016 - Forum software by © MyBB