Input Validation & Sanitisation
Always use CI3's Form Validation library before processing any user input.
Never use $_GET, $_POST, or $_REQUEST directly. Always go through $this->input.
Always prevent XSS (Cross-Site Scripting) by using $this->security->xss_clean() for other texts not part of the form.
Enabling global_xss_filtering in the config may break binary/JSON POST bodies. For APIs, handle XSS manually per field.
Cross-Site Request Forgery (CSRF)
Enable CSRF protection globally in config.php.
Always use echo form_open(); since it automatically adds the CSRF token value.
If you can't, then include <?= $this->security->get_csrf_token_name() ?> in every form (eg: ajax).
SQL Injection Prevention
NEVER concatenate user input into raw SQL. Avoid $this->db->query() with raw user input.
Always use CI3's Query Builder or prepared statements with bindings.
File Upload Security
Use CI3's Upload library. Do not use move_uploaded_file() directly.
Whitelist allowed MIME types and extensions explicitly.
Store uploads outside the application/ and system/ folders.
Rename the file on save. Never keep the original filename.
Add .htaccess in your uploads/ folder to block code execution of uploaded files. Do not put inside global .htaccess.
JWT Token for API
CI3 has no built-in JWT. Use firebase/php-jwt via Composer.
Create a JWT_helper or dedicated library.
Validate token on every API request in a base API controller except login
General Reminders
Secret Management
Store all secrets (JWT_SECRET, APP_ENCRYPTION_KEY, HMAC_SECRET) in .env or server environment.
Do not hardcode and never commit.
Base/Site URLs
Keep $config['base_url'] correct and $config['index_page'] to '' when using .htaccess.
This is already done by default on all projects.
Refactoring
If you are developing something on existing code, implement the security standards.
Comments
Post a Comment