How to prevent SQL Injection, XSS attack in Codeigniter

02 Aug 2016

Good programming practices to develop secure web applications

One of the common attack into web applications is the SQL Injection attack. It usually happens when a user input a malicious code via a user input form. This could destroy the database, because such malicious code may contain harmful SQL statements. Another major threat we face is XSS attack. This kind of attack utilize the harmful java script through user inputs. Lets see how to prevent such attacks.




XSS Prevention

XSS means cross-site scripting. This attack inject malicious javascript code into the webapplications. CodeIgniter comes with XSS filtering security. This filter will prevent any malicious JavaScript code or any other code that attempts to hijack cookie and do malicious activities. To filter data through the XSS filter, use the xss_clean() method as shown below.

$data = $this->security->xss_clean($data);

You should use this function only when you are submitting data. The optional second Boolean parameter can also be used to check image file for XSS attack. This is useful for file upload facility. If its value is true, means image is safe and not otherwise.




SQL Injection Prevention  

CodeIgniter provides inbuilt functions and libraries to prevent this.We can prevent SQL Injection in CodeIgniter in the following three ways −

  •     Escaping Queries
  •     Query Biding
  •     Active Record Class

Escaping Queries

   $username = $this->input->post('username');
   $query = 'SELECT * FROM subscribers_tbl WHERE user_name = '.
      $this->db->escape($email);
   $this->db->query($query);
?>

$this->db->escape() function automatically adds single quotes around the data and determines the data type so that it can escape only string data.

Query Biding

   $sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";
   $this->db->query($sql, array(3, 'live', 'Rick'));
?>


In the above example, the question mark(?) will be replaced by the array in the second parameter of query() function. The main advantage of building query this way is that the values are automatically escaped which produce safe queries. CodeIgniter engine does it for you automatically, so you do not have to remember it.


Active Record Class

   $this->db->get_where('users_table',array
      ('status'=> active','email' => 'mail@ofek.co.in'));
?>


Using active records, query syntax is generated by each database adapter. It also allows safer queries, since the values escape automatically.



CSRF Prevention

CSRF stands for cross-site request forgery. You can prevent this attack by enabling it in the application/config/config.php file as shown below.

$config['csrf_protection'] = TRUE;

When you are creating form using form_open() function, it will automatically insert a CSRF as hidden field. You can also manually add the CSRF using the get_csrf_token_name() and get_csrf_hash() function. The get_csrf_token_name() function will return the name of the CSRF and get_csrf_hash() will return the hash value of CSRF.

The CSRF token can be regenerated every time for submission or you can also keep it same throughout the life of CSRF cookie. By setting the value TRUE, in config array with key csrf_regenerate will regenerate token as shown below.

$config['csrf_regenerate'] = TRUE;

You can also whitelist URLs from CSRF protection by setting it in the config array using the key csrf_exclude_uris as shown below. You can also use regular expression.

$config['csrf_exclude_uris'] = array('api/person/add');


Summarizing all, we shall follow some particular points to build secure applications :
  1. Sanitize the data from user input
  2. Escape unwanted characters
  3. Prevent/Block unwanted characters
  4. Better to use active record functionality
  5. Enable CSRF prevention

Happy safe coding !!


For Website, Mobile app (Android / iPhone) design & development Call 0471-2722111 / (+91) 813-888-4152