Welcome Guest, Not a member yet? Register   Sign In
Security best practices... sanity check

I'm fairly new to CI and wanted to make sure I'm properly handling security concerns in my application. In line with CI’s recommended best practices, I perform the following before accepting any data into my application

1. Filter the data as if it were tainted.
- I use CI’s Cross Site Scripting filter globally by setting 'global_xss_filtering' to TRUE in the CI config file.

2. Validate the data to ensure it conforms to the correct type, length, size, etc.
- I use CI’s form validation class on all fields on all forms that contain data used to populate the database.

3. Escape the data before submitting it into the database.
- I use CI’s active record class for all database inserts, updates, and deletions. With Active Record, all values are escaped automatically producing safer queries. As for select queries, most are custom and I always escape any variables used in those queries.

Is there anything else I should be doing? Specifically, should I be using any of the functions built into php (ie: htmlspecialchars) to handle security and input data integrity? It seems like these CI functions do the trick, but I’m not sure if there’s something I’m missing.

Hi Amc,
I think you're doing a good job there. I did some reading on StackOverflow that CI's xss filtering is a little bogus. I don't have the URL on hand, but if you search SO for "codeigniter" and "xss" or "cross site scripting" you should find more details.

As a final step, I like to move the "index.php" into another directory in the root. I call it something like "webroot". Then I change references to the "application" and "system" folders inside index.php to "../application/" and "../system". Then set your web server to only serve "webroot". This way no internet user can access your app or system folder by URL. It does away with the need to have that annoying "no direct script access" line at the top of all of your CI scripts.

Best of luck

Thanks for your quick and helpful reply. Though I didn’t mention it in my original post, I have also performed the steps you laid out.

Since we’re talking security, I guess I should mention my approach to CSRF. I am not using CI’s built in CSRF protection. Partially because I discovered it after I already implemented my own, and also because it’s my understanding it doesn’t support multi-form pages (which I have). I also found the documentation light in this area. It explains how to turn it on, but it wasn’t so clear to me how to use it effectively (thought I’m sure with some digging I’d figure it out). Anyway, I implemented my own by generating a random hash, storing it to both a session variable and post variable then comparing the two on the page receiving the submit. I think this is a pretty standard way to do it.

Lastly, I use Tank_Auth for handling authentication Tank_auth

I think that covers it.

Theme © iAndrew 2016 - Forum software by © MyBB