[eluser]term25[/eluser]
OK,
I have moved appplication and system folder out of the root one level up, so it is not publically accessible. Assets stuff stay in root, because it is not a problem in my case, just bunch of css and images, nothing important.
Then I have used trim and xss_clean on all forms validation elements (inputs, select, textareas...)
My only worry (that I am aware of) is the controller part.
how can I be sure that e.g. if I have a controller called
users
and there are methods to add, delete, edit etc.. Is the check that user is logged in and has a certain permission as an admin role to do such thing enough or is it possible to do it no matter if there is a check at the top of the controller for access only via admin?
What is your opinion? Is the parent check in controller if user is admin enough?
Can you recommend some good reading about CI security or a book specific to CI security?