Home » CodeIgniter Security Class

CodeIgniter Security Class

by Online Tutorials Library

CodeIgniter Security Class

CodeIgniter contain security class methods which will help to create a secure application and process input data. The methods are given below.

  • XSS Filtering
  • CSRF (Cross-site Request Forgery)
  • Class Reference

XSS Filtering

XSS stands for Cross-site Scripting. It is used to disable JavaScript or other types of code that try to hijack cookies and perform other type of malicious acts. When it encounters anything harmful, it is rendered safe by converting the data to character entities.

XSS filtering uses xss_clean() method to filer data.

There is an optional second parameter, is_image, which is used to test images for XSS attacks. When this parameter is set to TRUE, it doesn’t return an altered string, instead it returns TRUE if image is safe and FALSE if it contains malicious information.

CSRF (Cross-site Request Forgery)

To enable CSRF do the following settings in application/config/config.php file.

If you are using form helper, then a hidden csrf field will be automatically inserted in your form_open()/ field.

Otherwise, you can manually add it using,

get_csrf_token_name() (it returns name of csrf) and

get_csrf_hash() (it returns value of csrf).

Generated tokens may be kept same throughout the life of CSRF cookie or may be regenerated on every submission. The default generation of token provides a better security but it also have usability concerns as other tokens like multiple tabs/windows, asynchronous actions, etc become invalid. Regeneration behavior can be set in application/config/config.php file as shown below.

Class Reference

Parameters – $str (mixed) ? input string or an array of strings

Returns – XSS-clean data

Return-type – mixed

From input data it removes XSS exploits and returns the clean string.

Parameters – $str (string) ? File name/path

$relative_path (bool) ? Whether tp preserve any directories in the file path

Returns – Sanitized file name/path

Return-type – string

It prevents directory traversal and other security threats by sanitizing filenames. It is mainly useful for files which were supplied via user input.

Parameters – $str (string) ? Input string

$charset (string) ? Character set of the input string

Returns – Entity-decoded string

Return-type – string

It tries to detect HTML entities that don’t end in a semicolon because some browser allows that.

$charset parameter is left empty, then your configure value in $config[‘charset’] will be used.

Parameters – $length (int) ? Output length

Returns – A binary system of random bytes or FALSE on failure.

Return-type – string

It is used for generating CSRF and XSS tokens.

You may also like