Security in CodeIgniter
Codeigniter Interview Questions
- Codeigniter does not allow all types of characters in URI strings.
- For security reasons, it only allowed some useful and most commonly used symbols.
- It minimizes the possibility to pass malicious data into your application.
- URIs may only contain the following:
1 Alpha-numeric text (Latin characters only)
2 Tilde: ~
3 Percent sign: %
4 Period: .
5 Colon: :
6 Underscore: _
7 Dash: -
In codeigniter, all global variables that are stored in global arrays($_POST, $_GET, $_FILES, $_REQUEST, $_COOKIE) are unset during the initialization of system.
XSS(Cross-Site Scripting) Filtering:
- We can use xss_clean() function to filter data through the XSS filter.
$data = $this->security->xss_clean($data);
This function most commonly used to prevent cross-site scripting during the form submission.
It has another optional Boolean parameter which used to check the image file for the XSS attack.
if ($this->security->xss_clean(, TRUE) === FALSE)
// file failed the XSS test
To filter HTML attributes value, use html_escape() method.
SQL Injection Prevention:
- This type of attack is made on database queries.
- To prevent SQL Injections native PHP provides mysql_real_escape_string() method.
- Codeigniter has its own libraries and inbuilt methods to prevent these types of attacks.
- In Codeigniter, we use the following three ways :
- Escaping Queries
- Query Biding
- Active Record Class
1 Escaping Queries: By using the escape() method, we can determine the data type to escape only string data. escape() function adds the single quotes around the data automatically.
$email = $this->input->post(email);
$query = 'SELECT * FROM `student` WHERE email = '.
2 Query Biding: This method produces safe queries by escaping data string automatically.
$sql = "SELECT * FROM `student` WHERE id = ? AND email = ? AND name = ?";
$this->db->query($sql, array(5, 'email@example.com', 'Ramesh'));
In the above example, all question mark (?) will be replaced by the array in the second parameter of the query() function
3 Active record class: By using these records, a safe query syntax.
('class'=>'4 ','email' => 'firstname.lastname@example.org'));
CSRF (Cross-Site Request Forgery) protection:
We can enable CSRF protection by changing our application/config/config.php file in the following way:
$config['csrf_regenerate'] = TRUE;
If you are using form helper in your application and creating all your forms by using the form_open() function, then this setting from the config.php file will automatically insert a hidden CSRF field in your forms.
We can also add CSRF field manually by using get_csrf_token_name() and get_csrf_hash().
$csrf = array(
'name' => $this->security->get_csrf_token_name(),
'hash' => $this->security->get_csrf_hash()
<input type="hidden" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>" />
By default, the CSRF tokens regenerated every time when a user submits the form. We can also keep it the same throughout the life of the CSRF cookie, by setting the value TRUE, in the config array with the key 'csrf_regenerate'.
$config['csrf_regenerate'] = TRUE;
We can also whitelist the URLs from CSRF protection by editing the 'csrf_exclude_uris' config parameter:
$config['csrf_exclude_uris'] = array('api/person/add');
It is very necessary to use a strong password handling mechanism to prevent your application from hackers. Some password handling points are listed below. Please read carefully and use.
- DO NOT store passwords in plain-text format
- Always hash your passwords
- Do hashing, not encoding. DO NOT use Base64 or similar encoding for storing passwords
- DON’T invent your own algorithms. Only use strong password hashing algorithms like BCrypt, which is used in PHP’s own Password Hashing functions
- DO NOT ever display or send a password in plain-text format!
- DO NOT put unnecessary limits on your users’ passwords.
Just randomly generate a new, one-time (this is also important) password and send that instead, if you need a "Forgotten password" feature
Waiting for your comments