Skip to main content

Security for CodeIgniter 3



Input Validation & Sanitisation

  • Always use CI3's Form Validation library before processing any user input.

  • Never use $_GET, $_POST, or $_REQUEST directly. Always go through $this->input.

  • Always prevent XSS (Cross-Site Scripting) by using $this->security->xss_clean() for other texts not part of the form.

    • Enabling global_xss_filtering in the config may break binary/JSON POST bodies. For APIs, handle XSS manually per field.

Cross-Site Request Forgery (CSRF)


  • Enable CSRF protection globally in config.php.

  • Always use echo form_open(); since it automatically adds the CSRF token value.

  • If you can't, then include <?= $this->security->get_csrf_token_name() ?> in every form (eg: ajax).

SQL Injection Prevention

  • NEVER concatenate user input into raw SQL. Avoid $this->db->query() with raw user input.

  • Always use CI3's Query Builder or prepared statements with bindings.


File Upload Security

  • Use CI3's Upload library. Do not use move_uploaded_file() directly.

  • Whitelist allowed MIME types and extensions explicitly.

  • Store uploads outside the application/ and system/ folders.

  • Rename the file on save. Never keep the original filename.

  • Add .htaccess in your uploads/ folder to block code execution of uploaded files. Do not put inside global .htaccess.

JWT Token for API

  • CI3 has no built-in JWT. Use firebase/php-jwt via Composer.

  • Create a JWT_helper or dedicated library.


  • Validate token on every API request in a base API controller except login

General Reminders

  • Secret Management

    • Store all secrets (JWT_SECRET, APP_ENCRYPTION_KEY, HMAC_SECRET) in .env or server environment. 

    • Do not hardcode and never commit.


  • Base/Site URLs

    • Keep $config['base_url'] correct and $config['index_page'] to '' when using .htaccess

    • This is already done by default on all projects.


  • Refactoring

    • If you are developing something on existing code, implement the security standards.
Labels:

Comments

Post a Comment

Popular posts from this blog

Setup existing IONIC project in local

Setup existing IONIC project in local  Steps: clone git repo install ionic -  npm install -g @ionic/cli masuk folder repo project install npm dependencies -  npm install run ionic project -  ionic serve buka android studio / xcode -  ionic cap open $var  - $var = ‘android’ atau ‘ios’. ada dua je option, replace $var dgn dua option tu sync changes vscode & dkt android studio / xcode -  ionic cap sync good luck Common issues: dependency conflict check https://www.npmpeer.dev/ utk tengok version yg compatible try naikkan/turunkan version dependency yg keluar dkt error. tembak je sampai hilang error g radle issue try upgrade gradle. kalau tak boleh, try remove folder android & build semula e rror cocoapod make sure install xcode make sure install cocoapod error java  home not found utk mac, buka ~/.zshrc & masukkan chang es dkt VSC tak masuk android studio / xcode try ionic cap sync try quit & buka semula cordo va.variables.gradle no...
Post a Comment
Read more

🗑️ Clear storage Mac OS

  🗑️ Clear storage Mac OS 1: Clear system cache: Go to Finder > Go > Go to Folder, then type in "~/Library/Caches" and hit enter. Select all the folders inside the Caches folder and delete them. 2: Clear system logs: Go to Finder > Go > Go to Folder, then type in "/var/log" and hit enter. Select all the files inside the Log folder and delete them. 3: Remove unused language files: Go to Finder > Go > Go to Folder, then type in "/Library/Languages" and hit enter. Delete all the language folders you don't need. 4: Uninstall unused apps: Go to the Applications folder and delete the apps you don't use. 5: Clean up system files: Use a system cleaning tool like CleanMyMac X to scan and remove unnecessary system files. 6: If you have npm installed, clear the caches once in a while with ‘sudo npm cache clean --force’ 7: If you have ionic projects, open the ‘.angular’ folder and delete the ‘cache’ folder inside it.
Post a Comment
Read more

Vulnerabilities in Dependencies

Vulnerabilities in Dependencies - A Lesson from 4Chan Case Study: The 4Chan Security Breach The Neglect 4Chan had not updated its project dependencies since 2009. The Vulnerability One specific dependency was publicly known to have multiple critical vulnerabilities: Ghostscript.  Ghostscript Vulnerability Reports (Snyk) Attack Vectors: Local File Inclusion (LFI): The system processed PDF files without verifying if the uploaded file was actually a PDF. Remote Code Execution (RCE): After a successful injection, attackers could run malicious scripts directly on the server. The Wake-Up Call This event serves as a modern reminder of the critical importance of keeping dependencies up to date. Dependencies Audit & Status These are some of the dependencies commonly used. mPDF (Fixed) Vulnerability: Deserialization of untrusted data (similar to the 4Chan/Ghostscript exploit). Risk: Affects all versions lower than 7.1.8. aws/aws-sdk-php (Fixed) Path Traversal Affects versions lower t...
Post a Comment
Read more