CodeIgniter Security tips

The security of your web application cannot be compromised. According to Symantec, one of the world’s foremost security firms, there are 4 vulnerabilities (XXS, SQL, Enumeration, Remote Execution) to web applications.

The evaluation below shows the results of tests conducted on a sample CodeIgniter web application to deduce the level of security of the system. If you are a web application developer writing apps in PHP, CodeIgniter has a lot to offer in terms of security.


CodeIgniter Security tips


Remote Code Execution

This type of an attack allows the hacker to execute unwanted code from a remote location using shell scripting or other measures. This is counter measured by using two things.

At first, the htaccess file should be set to allow access to only certain directories, which pose minimum threat if hacked, such as the img/.


RewriteCond $1 !^(index\.php|img|robots\.txt)

Secondly, each .php file in CodeIgniter is protected with the line on the top.


<? php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

This ensures that the PHP file is not accessible directly by manipulating or running a script, which would compromise the system.

SQL Injection

This type of attack is highly common on the web. A SQL injection occurs when an attacker exploits the front-end and the post data to retrieve secure data from the database. According to CodeIgniter manual, it becomes evident that your web application is automatically safe from SQL injection as the POST data is retrieved in the controller using $this->input->post (‘’); which is automatically filtered by CodeIgniter.

CodeIgniter User Manual excerpt proves this fact:

“Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system.”

XSS Attacks

An XSS or Cross Site scripting attack is unarguably the common reason for the demise of web applications. A XSS attack works by a hacker crafting a malicious URL into the browser in order to compromise the security of the application. CodeIgniter has a built in XSS filter which is initialized automatically.

In order to double check the security threats against XSS attacks, a Firefox add-on called XXS Me (download here) can be used to test the sample application against 96 different types of attacks. The results are shown in the image below.  It shows that the all form input fields were not found unencoded, which means the XSS filter within CodeIgniter did its job.

Username enumeration

Username enumeration can be prevented by having a call back to a username_unique function (see image below) in your controllers that checks for an existing username, and if the num_rows==1, it will not allow anyone to create the account with the same username again.

Also, consistent error messages should be shown, which only reveal that a certain username is not available and not showing the available list of valid usernames, which could be used by the attacker to make educated guesses for an attack.


Other security Features in CodeIgniter

Apart from the ones mentioned above, there are a few minor security features that web application developers can apply. For example, make sure your web application does not allow any two different user groups to access each other’s accounts on the same session.

This is possible by having the session data encoded with user id and user type so it can be used to determine if the account belongs to the user whose user data is in the active session.

When it comes to storing passwords, the MD5 algorithm should be used to encrypt passwords. Also, if you are using file uploads, make sure the file names are encoded with a random 32-bit string so that private or sensitive information is anonymous.

In addition, CodeIgniter’s form validation library can prove to be very useful. Form validation ensures that invalid information is not entered into the database. To provide a double layer of security, the SQL structure can be as such that it each field conforms to the incoming form data by a) type and b) length.

Overall security testing

A Google Chrome extension called Websecurify is a cool piece of software that tests the security of any web application against around 20 top attack types. You can download Websecurify from here.



You might also like

  • I don’t know whether the operation was available in the older versions of CodeIgniter available when this article was written. To check whether the user name is taken or not, the `is_unique` rule is available.

    This can be used instead of the big callback function code:

    $this->form_validation->set_rules(‘username’, ‘Username’, ‘is_unique[users.username]’);

    Secondly, MD5 is not encrypting mechanism, but it is hashing. It means it is a one-way process. The hash of the password is the output of it not encrypted cipher text. And MD5 for passwords is not recommended now since it is proven weaker than many algorithms available now.

    • Anush

      Hi Sarvap,
      Thanks for your comment, this is an old article, indeed. Would you like to contribute to Monitis blog on this topic?

    • Manuel Ruiz

      is_unique function will only do the job in in a creating record situation. But it will not work in an “update records” scenario. A callback function will work for both situations.

      • In such cases, I usually have two separate controller functions to which the form submits. The creating function will have is_unique validation while the updating function checks whether the record exists based on the key (username in this case) and then update it.

  • WorldWebTechnology

    Well Descriptive Article.

    Now a days security threats are increasing, it is better to add SSL certificate as well to your website.
    Also there are many good paid tools are available in Market, where you can update and test your website.

    Main thing is you need to keep tracks of technology updates.

    Thanks for such a nice post.