Input Validation & Sanitisation Always use CI3's Form Validation library before processing any user input. Never use $_GET , $_POST , or $_REQUEST directly. Always go through $this->input . Always prevent XSS (Cross-Site Scripting) by using $this->security->xss_clean() for other texts not part of the form. Enabling global_xss_filtering in the config may break binary/JSON POST bodies. For APIs, handle XSS manually per field. Cross-Site Request Forgery ( CSRF ) Enable CSRF protection globally in config.php . Always use echo form_open(); since it automatically adds the CSRF token value. If you can't, then include <?= $this->security->get_csrf_token_name() ?> in every form (eg: ajax). SQL Injection Prevention NEVER concatenate user input into raw SQL. Avoid $this->db->query() with raw user input. Always use CI3's Query Builder or prepared statements with bindings . File Upload Security Use CI3's Upload library. Do not use move_upl...
A blog originally made for my portfolio. Now I just share some of my notes here.