Skip to main content

Posts

Web Security & Best Practices

Web Security & Best Practices How do you secure your home? By installing locks, only giving your house keys to your family members, making sure the fence is high enough, installing CCTVs, and probably a lot more that I don’t know about. But what about your web application? Is your app secure? How do you even know if it’s secured? How can a person hack an application? In this post I will be sharing about web application security and the best practices. There are a few common exploits a hacker can use against you. Common Exploits SQL Injection Let's start with something basic that you may have heard about. SQL injection prey on applications where a user can affect an SQL query directly. Say you have a table list with a search on top, and you developed this on vanilla PHP with no framework and no input sanitization. Chances are, a user can input an SQL script into the search bar and have direct access to your database. Try this and see:
 ; DROP TABLE users; If the users table is d...
Post a Comment
Read more
Recent posts

MVC vs HMVC vs HAVC

MVC (Model-View-Controller) The most-common, traditional approach where files are grouped by type . CodeIgniter 3 uses MVC. Characteristics: Centralized folders for all Controllers, Models, and Views. Best For: Small to medium-sized projects. Pros: Very simple to set up. You literally can't mess this up. Cons: Might become serabut as the project grows. Still usable though. Directory Example: HMVC (Hierarchical Model-View-Controller) An evolution of MVC. Further organizes files into modules . Characteristics: Each feature has its own folder containing its own MVC structure. Best For: Medium to large-scale projects. Pros: Much cleaner folder structure. Can easily be moved or reused in other projects. HAVC (Hierarchical Asset-View-Controller) A specialized variation of HMVC, popularized by the Trongate framework. Characteristics: Replaces the "Model" folder with an " Asset " folder. Structure: Everything specific to a module, including models, CSS, Java...
Post a Comment
Read more

Fast MySQL Script

Importing large databases sucks. It can take anywhere from as short as 10 min to a few hours. Worse is when it fails mid-import. So here is a faster & more reliable way to import. Disclaimer: This tutorial is only for macOS users. If you’re on windows, good luck. This script can import a 30gb database in under 40min, tested on Macbook M1. Prerequisites: Must use MAMP. Must have Homebrew installed. Install these using Brew brew install pv brew install pigz What it does, in steps: 3 arguments: gzipped SQL file, database name, MySQL user (defaults to root) Disables safety temporarily. Turns off foreign key checks, unique checks, binary logging. Cranks up InnoDB settings. Bigger buffer pool, less aggressive flushing to disk. Decompresses & imports. Uses the faster parallel gunzip (pigz) if available, otherwise falls back to regular gunzip. The pv command shows progress. Restores safety when done. Placing the fast import script Download the file from my GitLab fast_mysql_import.sh ...
Post a Comment
Read more

Security for CodeIgniter 3

Input Validation & Sanitisation Always use CI3's Form Validation library before processing any user input. Never use $_GET , $_POST , or $_REQUEST directly. Always go through $this->input . Always prevent XSS (Cross-Site Scripting) by using $this->security->xss_clean() for other texts not part of the form. Enabling global_xss_filtering in the config may break binary/JSON POST bodies. For APIs, handle XSS manually per field. Cross-Site Request Forgery ( CSRF ) Enable CSRF protection globally in config.php . Always use echo form_open(); since it automatically adds the CSRF token value. If you can't, then include <?= $this->security->get_csrf_token_name() ?> in every form (eg: ajax). SQL Injection Prevention NEVER concatenate user input into raw SQL. Avoid $this->db->query() with raw user input. Always use CI3's Query Builder or prepared statements with bindings . File Upload Security Use CI3's Upload library. Do not use move_upl...
Post a Comment
Read more