CI_Security class has some inbuilt security functions which are very helpful to secure our application from hackers. Some of them are listed below:
CI_Security class reference
1 xss_clean(): This function is used to remove XSS (cross-site scripting) exploits from the input data and returns the cleaned string. If the second parameter optional is set to true, it will return boolean values. It returns TRUE if the image is safe to use and FALSE if malicious data was detected in it.
xss_clean($str[, $is_image = FALSE]);
- $str (mixed) – Input string or an array of strings
The return type of this function is mixed and it will return XSS-clean data.
To filter HTML attributes value, use html_escape() function.
2 sanitize_filename(): This method is used to sanitize forms input filenames in order to prevent directory traversal attempts and other security threats.
sanitize_filename($str[, $relative_path = FALSE]);
The return type of this function is string and it will return Sanitized file name or path.
3 get_csrf_token_name(): This function is used to get CSRF (Cross-Site Request Forgery) token name (the $config['csrf_token_name'] value).
The return type of this function is string and it will return CSRF token name.
4 get_csrf_hash(): This function is used to the CSRF hash value. It is very useful for building forms manually or sending valid AJAX POST requests.
The return type of this function is string and it will return CSRF hash.
5 entity_decode(): This function is work like PHP native function html_entity_decode() in ENT_COMPAT mode. This function is used to detect HTML entities that don’t end in a semicolon because some browsers allow that.
entity_decode($str[, $charset = NULL]);
If the $charset parameter is left empty, then value configured by user in application/config/config.php under $config['charset'] will be used.
The return type of this function is string and it will return an Entity-decoded string.
6 get_random_bytes(): This function is used to get proper random bytes via mcrypt_create_iv(), /dev/urandom or openssl_random_pseudo_bytes() (in that order), if one of them is available. It is also generate CSRF and XSS tokens.
The return type of this function is string and it will return a binary stream of random bytes or FALSE on failure.