CodeIgniter Security

Security is one of the most important aspects of any web application.

CodeIgniter provides built-in security features to help protect your application from common threats such as:

• SQL Injection
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Malicious file uploads
• Session hijacking

This tutorial explains how to use CodeIgniter’s security features step by step.

🔹 1. SQL Injection Protection

CodeIgniter’s Query Builder automatically escapes values, preventing SQL injection.

✅ Example (Safe):

$this->db->where('id', $this->input->get('id'));
$query = $this->db->get('users');

⚠️ Avoid writing raw queries with user input unless you escape them properly:

// Unsafe ❌
$query = $this->db->query("SELECT * FROM users WHERE id=" . $_GET['id']);

🔹 2. Cross-Site Scripting (XSS) Filtering

XSS attacks happen when hackers inject malicious JavaScript into your site.

CodeIgniter provides an xss_clean() function to filter inputs.

✅ Example:

$data = $this->input->post('username', TRUE); 
// Second parameter TRUE applies XSS Filtering

Or use Security Class:

$this->security->xss_clean($data);

🔹 3. Cross-Site Request Forgery (CSRF) Protection

CSRF attacks trick users into submitting unwanted actions.

CodeIgniter provides CSRF protection using a hidden token.

Enable CSRF in application/config/config.php

$config['csrf_protection'] = TRUE;

Example in Forms:

<form method="post" action="/submit">
    <?php echo form_open('form/submit'); ?>
    <input type="text" name="name">
    <input type="submit" value="Submit">
    <?php echo form_close(); ?>
</form>

CodeIgniter will automatically add a CSRF hidden token in the form and validate it.

🔹 4. Password Hashing

Never store plain text passwords ❌.

Use password_hash() and password_verify().

✅ Example:

// Storing password
$hash = password_hash($this->input->post('password'), PASSWORD_BCRYPT);

// Verifying password
if (password_verify($this->input->post('password'), $hash)) {
    echo "Password Matched!";
}

🔹 5. Preventing File Upload Attacks

When uploading files, always restrict file types and sizes.

✅ Example:

$config['upload_path']   = './uploads/';
$config['allowed_types'] = 'jpg|png|gif';
$config['max_size']      = 2048; // 2 MB

$this->load->library('upload', $config);

if (!$this->upload->do_upload('userfile')) {
    echo $this->upload->display_errors();
} else {
    $data = $this->upload->data();
    echo "File uploaded successfully!";
}

🔹 6. Session Security

To secure sessions:

• Always use database sessions.
• Regenerate session IDs on login.

✅ Example:

$this->session->sess_regenerate(TRUE); 

🔹 7. Global Security Functions

CodeIgniter has helper functions:

• html_escape($string) → Prevents XSS by escaping HTML.
• $this->input->get_post('name', TRUE) → Fetches input with XSS filtering.