Professional CodeIgniter, Thomas Myer
Chapter 9: Security and Performance
268
CodeIgniter has some built - in security processes that will help you sleep better at night, including the
following:
The out - of - the - box configuration only allows certain characters in URI strings. You can add
more allowable characters by editing the /system/application/config/config.php file, but doing
so will create further openings for certain attacks. The allowable characters are :
more allowable characters by editing the /system/application/config/config.php file, but doing
so will create further openings for certain attacks. The allowable characters are :
Alphanumeric text
Tilde (~)
Period (.)
Colon (:)
Underscore (_)
Dash ( - )
The global
GET
array is unset by CodeIgniter ' s Input class and is therefore totally disallowed
(you can turn this back on if you indicate use of query strings in the config.php file), but you
will still need to process and escape any URI segments that you work with.
will still need to process and escape any URI segments that you work with.
The PHP globals POST and COOKIE are allowed, but all other globals are disallowed.
The magic_quotes_runtime directive is turned off, which means that you don ' t have to remove
slashes when you query data from the database.
Filtering User Input
The first step in securing your application has to do with filtering any and all user input -- and, in fact, filtering
any and all data coming from any process (such as POST, COOKIE, server systems, log files, whatever).
For the most part, this work of filtering user input will be done in the models. It is in the models that you
take URI segments or POST data (for example) and do something useful with them (like insert data into
a database or retrieve data from a table). In some cases, you ' ll need to fortify your controllers as well.
One way to attack the problem is to edit the models in alphabetical order, starting with MAdmins and
proceeding through to MSubscribers.
Securing the MAdmins Model
First, it ' s helpful to imagine the MAdmins model stripped of all the security you ' ve already put in.
Imagine that there is no XSS filtering happening, and that there ' s no
Imagine that there is no XSS filtering happening, and that there ' s no
dohash()
in operation for
passwords. At the end of this section, you ' ll put the code back to where it was at the end of Chapter 6
and run through it again.
and run through it again.
Why are you rewriting history, as it were? Because you need to understand how to secure an application,
and this section introduces you to two approaches. The first is fairly manual, and the second involves
extending the CodeIgniter Security helper.
With that in mind, let ' s delve into the MAdmins model.
The most important function to protect is the
verifyUser()
function. Specifically, you want to use
$this-
>
db-
>
escape()
to escape the incoming username and password strings.
c09.indd 268
c09.indd 268
6/10/08 5:37:58 PM
6/10/08 5:37:58 PM