Skip to main content

Posts

Security for CodeIgniter 3

Input Validation & Sanitisation Always use CI3's Form Validation library before processing any user input. Never use $_GET , $_POST , or $_REQUEST directly. Always go through $this->input . Always prevent XSS (Cross-Site Scripting) by using $this->security->xss_clean() for other texts not part of the form. Enabling global_xss_filtering in the config may break binary/JSON POST bodies. For APIs, handle XSS manually per field. Cross-Site Request Forgery ( CSRF ) Enable CSRF protection globally in config.php . Always use echo form_open(); since it automatically adds the CSRF token value. If you can't, then include <?= $this->security->get_csrf_token_name() ?> in every form (eg: ajax). SQL Injection Prevention NEVER concatenate user input into raw SQL. Avoid $this->db->query() with raw user input. Always use CI3's Query Builder or prepared statements with bindings . File Upload Security Use CI3's Upload library. Do not use move_upl...
Post a Comment
Read more
Recent posts

Modern Web Dev Tools

Setting up a local environment doesn't have to be finnicky. Move those config files into the trash bin. Doesnt matter the platform (macOS & Windows compatible), these modern tools make your local environment simpler. Well, at least simpler than XAMPP or MAMP lah. Laravel Herd Blazingly fast, native local environment for PHP and Laravel projects. Also support other frameworks like CI3 and such. Why?   Plug-and-play bro. No manual config required.  Easy access Your projects can be accessed instantly via a .test domain right out of the box. Simply lovely Click-click and you're done. XAMPP or MAMP can never. Installing Laravel Herd macOS: Download Herd for macOS , open the .dmg file, and drag it to your Applications folder.  Windows: Download Herd for Windows , run the .exe, and follow the setup wizard.  Setting Up Your First Project: Open the Herd tray icon and navigate to Settings > Sites.  Click Add site and point it to your project folder.  Ensure ...
Post a Comment
Read more

Blog update

This blog have been more or less abandoned for the past few years. Im gonna be a bit more active in 2026 (hopefully). Banyak benda my mind that I can write and share. I dont care if no one read this. I just want to pour my thoughts somewhere. Plus, this is a better place than my private notes.  New changes: Custom domain (finally bought 'firdausbsafari.my' 🎉) New theme centered around tech and programming Added favicon (idk why its square lol) Added google analytics cuz im a nerd New banner (sadly this theme doesnt display the banner) Oh, and by the way, I'm now open for sidegigs. Just hit me up with a DM if you want something done. I can do both Web & App.
Post a Comment
Read more

SQL Tuning

Page korang load slow ? Rekod berjuta-juta?  Client bising kena tunggu lebih 10 saat untuk page load ?  Say no more. Perkongsian ilmu kali ni pasal query tuning. Bukan ecu kenderaan je boleh tune untuk bagi laju, database & query pun boleh. Even 1 saat tunggu pun dah boleh masuk kategori slow. Jadi, jom belajar cara lajukan query. Optimize select Jangan guna select * Aku berani bet, kau tak guna pun semua rekod. Max pun lah, maybe 90% field guna. 10% off masih berbaloi untuk buat select panjang2. Pastikan tak select benda sama dua kali   Optimize penggunaan functions Certain functions create temporary table untuk process data sebelum return value. High cost, better buat cara lain. DISTINCT ➡️ lagi laju guna GROUP BY GROUP_CONCAT ➡️ boleh buat satu query lain yg simple, then process, merge both array of object ORDER BY ➡️ sort dkt frontend shj, backend tak perlu Optimize subquery Masa join table, dia akan select all field. Better select terus field apa yg kita nak ma...
Post a Comment
Read more

Vulnerabilities in Dependencies

Vulnerabilities in Dependencies - A Lesson from 4Chan Case Study: The 4Chan Security Breach The Neglect 4Chan had not updated its project dependencies since 2009. The Vulnerability One specific dependency was publicly known to have multiple critical vulnerabilities: Ghostscript.  Ghostscript Vulnerability Reports (Snyk) Attack Vectors: Local File Inclusion (LFI): The system processed PDF files without verifying if the uploaded file was actually a PDF. Remote Code Execution (RCE): After a successful injection, attackers could run malicious scripts directly on the server. The Wake-Up Call This event serves as a modern reminder of the critical importance of keeping dependencies up to date. Dependencies Audit & Status These are some of the dependencies commonly used. mPDF (Fixed) Vulnerability: Deserialization of untrusted data (similar to the 4Chan/Ghostscript exploit). Risk: Affects all versions lower than 7.1.8. aws/aws-sdk-php (Fixed) Path Traversal Affects versions lower t...
Post a Comment
Read more