Security in CodeIgniter

Security in CodeIgniter


Related Topic

Codeigniter Interview Questions

URI Security:

  • Codeigniter does not allow all types of characters in URI strings.
  • For security reasons, it only allowed some useful and most commonly used symbols.
  • It minimizes the possibility to pass malicious data into your application.
  • URIs may only contain the following:

1 Alpha-numeric text (Latin characters only)

2 Tilde: ~

3 Percent sign: %

4 Period: .

5 Colon: :

6 Underscore: _

7 Dash: -

8 Space

Register globals:

In codeigniter, all global variables that are stored in global arrays($_POST, $_GET, $_FILES, $_REQUEST, $_COOKIE) are unset during the initialization of system.

XSS(Cross-Site Scripting) Filtering:

  • To trigger JavaScript or other types of code that attempt to hijack cookies or do other malicious things, Codeigniter provides a Cross-Site Scripting prevention filter.
  • We can use xss_clean() function to filter data through the XSS filter.
  • Syntax:

    $data = $this->security->xss_clean($data);


  • this: This keyword is used for self-referencing.
  • security: It is the object of CI_Controller class that we inherit in the controller class.

This function most commonly used to prevent cross-site scripting during the form submission.

It has another optional Boolean parameter which used to check the image file for the XSS attack.

if ($this->security->xss_clean(, TRUE) === FALSE)
// file failed the XSS test

To filter HTML attributes value, use html_escape() method.

SQL Injection Prevention:

  • This type of attack is made on database queries.
  • To prevent SQL Injections native PHP provides mysql_real_escape_string() method.
  • Codeigniter has its own libraries and inbuilt methods to prevent these types of attacks.
  • In Codeigniter, we use the following three ways :
  • Escaping Queries
  • Query Biding
  • Active Record Class

1 Escaping Queries: By using the escape() method, we can determine the data type to escape only string data. escape() function adds the single quotes around the data automatically.

$email = $this->input->post(email);
$query = 'SELECT * FROM `student` WHERE email = '.

2 Query Biding: This method produces safe queries by escaping data string automatically.

$sql = "SELECT * FROM `student` WHERE id = ? AND email = ? AND name = ?";
$this->db->query($sql, array(5, '', 'Ramesh'));

In the above example, all question mark (?) will be replaced by the array in the second parameter of the query() function

3 Active record class: By using these records, a safe query syntax.

('class'=>'4 ','email' => ''));

CSRF (Cross-Site Request Forgery) protection:

We can enable CSRF protection by changing our application/config/config.php file in the following way:

$config['csrf_regenerate'] = TRUE;

If you are using form helper in your application and creating all your forms by using the form_open() function, then this setting from the config.php file will automatically insert a hidden CSRF field in your forms.

We can also add CSRF field manually by using get_csrf_token_name() and get_csrf_hash().

$csrf = array(
'name' => $this->security->get_csrf_token_name(),
'hash' => $this->security->get_csrf_hash()


<input type="hidden" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>" />

By default, the CSRF tokens regenerated every time when a user submits the form. We can also keep it the same throughout the life of the CSRF cookie, by setting the value TRUE, in the config array with the key 'csrf_regenerate'.

$config['csrf_regenerate'] = TRUE;

We can also whitelist the URLs from CSRF protection by editing the 'csrf_exclude_uris' config parameter:

$config['csrf_exclude_uris'] = array('api/person/add');

Password handling:

It is very necessary to use a strong password handling mechanism to prevent your application from hackers. Some password handling points are listed below. Please read carefully and use.

  • DO NOT store passwords in plain-text format
  • Always hash your passwords
  • Do hashing, not encoding. DO NOT use Base64 or similar encoding for storing passwords
  • DON’T invent your own algorithms. Only use strong password hashing algorithms like BCrypt, which is used in PHP’s own Password Hashing functions
  • DO NOT ever display or send a password in plain-text format!
  • Just randomly generate a new, one-time (this is also important) password and send that instead, if you need a "Forgotten password" feature

  • DO NOT put unnecessary limits on your users’ passwords.

Best WordPress Hosting


Discount Coupons

Get a .COM for just $6.98

Secure Domain for a Mini Price

Leave a Reply

    Waiting for your comments