CodeIgniter Security Class

CodeIgniter contain security class methods which will help to create a secure application and process input data. The methods are given below.

XSS Filtering
CSRF (Cross-site Request Forgery)
Class Reference

XSS Filtering

XSS stands for Cross-site Scripting. It is used to disable JavaScript or other types of code that try to hijack cookies and perform other type of malicious acts. When it encounters anything harmful, it is rendered safe by converting the data to character entities.

XSS filtering uses xss_clean() method to filer data.

$data = $this->security->xss_clean($data);

There is an optional second parameter, is_image, which is used to test images for XSS attacks. When this parameter is set to TRUE, it doesn't return an altered string, instead it returns TRUE if image is safe and FALSE if it contains malicious information.

if ($this->security->xss_clean($file, TRUE) === FALSE)
{
//file failed in xss test
}

CSRF (Cross-site Request Forgery)

To enable CSRF do the following settings in application/config/config.php file.

$config['csrf_protection'] = TRUE;

If you are using form helper, then a hidden csrf field will be automatically inserted in your form_open()/ field.

Otherwise, you can manually add it using,

get_csrf_token_name() (it returns name of csrf) and

get_csrf_hash() (it returns value of csrf).

Generated tokens may be kept same throughout the life of CSRF cookie or may be regenerated on every submission. The default generation of token provides a better security but it also have usability concerns as other tokens like multiple tabs/windows, asynchronous actions, etc become invalid. Regeneration behavior can be set in application/config/config.php file as shown below.

$config['csrf_regenerate?] = TRUE;

Class Reference

Class CI_Security

xss_clean ($str [, $is_image = FALSE])

Parameters - $str (mixed) ? input string or an array of strings

Returns - XSS-clean data

Return-type - mixed

From input data it removes XSS exploits and returns the clean string.

Sanitize_filename ($str [, $relative_path = FALSE])

Parameters - $str (string) ? File name/path

$relative_path (bool) ? Whether tp preserve any directories in the file path

Returns - Sanitized file name/path

Return-type - string

It prevents directory traversal and other security threats by sanitizing filenames. It is mainly useful for files which were supplied via user input.

Entity_decode (($str [, $charset = NULL])

Parameters - $str (string) ? Input string

$charset (string) ? Character set of the input string

Returns - Entity-decoded string

Return-type - string

It tries to detect HTML entities that don't end in a semicolon because some browser allows that.

$charset parameter is left empty, then your configure value in $config['charset'] will be used.

Get_random_bytes ($length)

Parameters - $length (int) ? Output length

Returns - A binary system of random bytes or FALSE on failure.

Return-type - string

It is used for generating CSRF and XSS tokens.

Preventing, Enabling from CSRF

In this tutorial we'll learn to protect CodeIgniter application from the cross-site request forgery attack. It is one of the most common vulnerabilities in web application. CSRF protection is quite easy in CodeIgniter due to its built-in feature.

What is CSRF attack

A CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including victim's session cookie and other authentication information, to a web application.

For example, suppose you have a site with a form. An attacker could create a bogus form on his site. This form could contain hidden inputs and malicious data. This form is not actually sent to the attacker's site, in fact it comes to your site. Thinking that the form is genuine, your site will process it.

Now just suppose that the attacker's form point towards the deletion form in your site. If a user is logged in and redirected to the attacker's site and when perform search, his account will be deleted without knowing him. That is the CSRF attack.

Token Method

To protect from CSRF we need to connect both the HTTP requests, form request and form submission. There are several ways to do this, but in CodeIgniter hidden field is used which is called CSRF token. The CSRF token is a random value that changes with every HTTP request sent.

When CSRF token is inserted in the website form, it also gets saved in the user's session. When the form is submitted, the website matches both the token, the submitted one and one saved in the session. If they match, request is made legitimate. The token value changes each time the page is loaded, which makes it tough for the hackers to guess the current token.

Enabling CSRF Protection

To enable CSRF make the following statement TRUE from FALSE in application/config/config.php file.

$config['csrf_protection'] = TRUE;

Token Generation

With each request a new CSRF token is generated. When object is created, name and value of the token are set.

$this->csrf_cookie_name = $this->csrf_token_name;
$this->_csrf_set_hash();

The function for it is,

function _csrf_set_hash()
{
if ($this->csrf_hash == '')
{
if ( isset($_COOKIE[$this->csrf_cookie_name] ) AND
$_COOKIE[$this->csrf_cookie_name] != '' )
{
$this->csrf_hash = $_COOKIE[$this->csrf_cookie_name];
} else {
$this->csrf_hash = md5(uniqid(rand(), TRUE));
}
}
return $this->csrf_hash;
}

First, function checks the cookie's existence. If it exists, its current value is used because when security class is instantiated multiple times, each request would overwrite the previous one.

Function also creates a globally available hash value and save it for further processing. The token's value is generated. Now it has to be inserted into every form of the website with the help of function form_open().

The method csrf_verify() is called each time a form is sent. This method does two things. If no POST data is received, the CSRF cookie is set. And if POST data is received, it checks the submitted value corresponds to the CSRF token value in session. In the second case, CSRF token value is discarded and generated again for the next request. This request is legitimate and whole process starts again.

Database Configuration

In CodeIgniter, go to application/config/databse.php for database configuration file.

In database.php file, fill the entries to connect CodeIgniter folder to your database.

The config settings are stored in a multi-dimensional array as shown above. Fill out your connection details to connect to database.

You can also specify failover in the situation where main connection cannot be established. This can be specified by setting failover as shown below. You can write as many failovers as you want.

Automatically connecting Database

The auto connect feature will load your database class with every page load.

To add auto connect go to application/config/autoload.php and add the word database to library array.

Manually connecting Database

If you need to connect database only in some pages of your project, you can use below code to add the database connectivity in any page, or add it to your class constructor which will make the database globally available for that class.

$this->load->database();

Connecting multiple Database

If you need to connect more than one database simultaneously, do the following.

$db1 = $this->load->database(?group_one?, TRUE);
$db1 = $this->load->database(?group_two?, TRUE);

Here, group_one and group_two are the group names which will be replaced by your group name

CodeIgniter Database INSERT record

In this example, we will INSERT different values in database showing meaning of Indian names through CodeIgniter.

In application/controller, file baby_form.php is created.

<?php
defined('BASEPATH') OR exit('No direct script access allowed');
class Baby_form extends CI_Controller {
public function index()
{
$this->load->view("baby_form_add");
}
function savingdata()
{
//this array is used to get fetch data from the view page.
$data = array(
'name' => $this->input->post('name'),
'meaning' => $this->input->post('meaning'),
'gender' => $this->input->post('gender'),
'religion' => $this->input->post('religion')
);
//insert data into database table.
$this->db->insert('baby',$data);
redirect("baby_form/index");
}
}
?>

Look at the above snapshot, our table name is 'baby'.

<!DOCTYPE html>
<html>
<head>
<title>Baby Form Add</title>
</head>
<body>
<form method="post" action="<?php echo site_url('baby_form/savingdata'); ?>">
<table>
<tr>
<td>Name:</td>
<td>:</td>
<td><input type="text" name="name"></td>
</tr>
<tr>
<td>Meaning:</td>
<td>:</td>
<td><input type="text" name="meaning"></td>
</tr>
<tr>
<td>Gender:</td>
<td>:</td>
<td><input type="text" name="gender"></td>
</tr>
<tr>
<td>Religion:</td>
<td>:</td>
<td><input type="text" name="religion"></td>
</tr><br><br>
<tr>
<input type="submit" name="submit" value="Save">
</tr>
</table>
</form>
</body>
</html>

This is our view page which is being loaded in the controller's page.

To run it on your browser, pass URL

http://localhost/insert/index.php/Baby_form/

By inserting various names in the above form we have created our table as shown below.

CodeIgniter SELECT Database record

To fetch all data from database, one more page in Model folder of CodeIgniter will be created. There will be some changes in controller's and view's files also.

Controller file (Baby_form.php) is shown below.

<?php
defined('BASEPATH') OR exit('No direct script access allowed');
class Baby_form extends CI_Controller {
public function __construct()
{
parent::__construct();
//calling model
$this->load->model("Babymodel", "a");
}
public function index()
{
$this->load->view("baby_form_select");
}
function savingdata()
{
//this array is used to get fetch data from the view page.
$data = array(
'name' => $this->input->post('name'),
'meaning' => $this->input->post('meaning'),
'gender' => $this->input->post('gender'),
'religion' => $this->input->post('religion')
);
//insert data into database table.
$this->db->insert('baby',$data);
redirect("baby_form/index");
}
}
?>

We have added a constructor to load the model page. Highlighted code is added to fetch the inserted record. And our view page is now baby_form_select.php

View file (baby_form_select.php) is shown below.

<!DOCTYPE html>
<html>
<head>
<title>Baby Form Add</title>
</head>
<body>
<form method="post" action="<?php echo site_url('baby_form/savingdata'); ?>">
<table>
<tr>
<td>Name:</td>
<td>:</td>
<td><input type="text" name="name"></td>
</tr>
<tr>
<td>Meaning:</td>
<td>:</td>
<td><input type="text" name="meaning"></td>
</tr>
<tr>
<td>Gender:</td>
<td>:</td>
<td><input type="text" name="gender"></td>
</tr>
<tr>
<td>Religion:</td>
<td>:</td>
<td><input type="text" name="religion"></td>
</tr><br><br>
<tr>
<input type="submit" name="submit" value="Save">
</tr>
</table>
</form>
<table border="1">
<thead>
<th>ID</th>
<th>NAME</th>
<th>MEANING</th>
<th>GENDER</th>
<th>RELIGION</th>
<th>ACTION</th>
</thead>
<tbody>
<?php
foreach($this->a->fetchtable() as $row)
{
//name has to be same as in the database.
echo "<tr>
<td>$row->id</td>
<td>$row->name</td>
<td>$row->meaning</td>
<td>$row->gender</td>
<td>$row->religion</td>
</tr>";
}
?>
</tbody>
</table>
</body>
</html>

Code in baby_form_select.php file is same as baby_form_add.php. Above codes are added to fetch the record.

Here we have fetched the record in a table with the help of foreach loop. Function fetchtable() is created to fetch the record.

Model file (babymodel.php) is shown below.

<?php
defined('BASEPATH') OR exit('No direct script access allowed');
class Babymodel extends CI_Model {
function __construct()
{
//call model constructor
parent::__construct();
}
function fetchtable()
{
$query = $this->db->get('baby');
return $query->result();
}
}
?>

In URL, type http://localhost/CodeIgniter/index.php/Baby_form

Look at the above snapshot, all data has been fetched from the table 'baby'.

Login Form in CodeIgniter (without MySQL)

Here, we'll make a simple login page with the help of session.

Go to file autoload.php in application/config/autoload.php

Set session in library and helper.

Create controller page Login.php in application/controllers folder.

<?php
defined('BASEPATH') OR exit('No direct script access allowed');
class Login extends CI_Controller {
public function index()
{
$this->load->view('login_view');
}
public function process()
{
$user = $this->input->post('user');
$pass = $this->input->post('pass');
if ($user=='juhi' && $pass=='123')
{
//declaring session
$this->session->set_userdata(array('user'=>$user));
$this->load->view('welcome_view');
}
else{
$data['error'] = 'Your Account is Invalid';
$this->load->view('login_view', $data);
}
}
public function logout()
{
//removing session
$this->session->unset_userdata('user');
redirect("Login");
}
}
?>

Look at the above snapshot, we have created a session for a single user with Username juhi and Password 123. For a valid login and logout we will use this username and password.

Create view page login_view.php in application/views folder.

<!DOCTYPE html>
<html>
<head>
<title>Login Page</title>
</head>
<body>
<?php echo isset($error) ? $error : ''; ?>
<form method="post" action="<?php echo site_url('Login/process'); ?>">
<table cellpadding="2" cellspacing="2">
<tr>
<td><th>Username:</th></td>
<td><input type="text" name="user"></td>
</tr>
<tr>
<td><th>Password:</th></td>
<td><input type="password" name="pass"></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" value="Login"></td>
</tr>
</table>
</form>
</body>
</html>

Create view page welcome_view.php in application/views folder to show the successful login message.

<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
Welcome <?php echo $this->session->userdata('user'); ?>
<br>
<?php echo anchor('Login/logout', 'Logout'); ?>
</body>
</html>

Output

Type URL localhost/login/index.php/Login

Now on entering wrong information we'll be see unsuccessful message which we have set in login_view page in else part.

Now on entering right information, we'll see welvome_view.php message.

Click on Logout, we'll be directed to Login page.

Login page (with database)

In earlier example, we learnt a simple login page with one single username and session.

Now we'll make it with more than one users using database. A sign in and login page will be there for users.

Following pages are made in this example.

In application/controllers

Main.php

In application/views

login_view.php
invalid.php
data.php
signin.php

In application/models

login_model.php

In the first page, you'll have the option for Login and Sign In.

On Login, if user has entered correct credentials matching to database then he will be directed to data.php page. But if he has entered wrong information then incorrect username/password message will appear.

We have named our CodeIgniter folder as login_db. And our table name is signup.

We need to do some basic settings in our login_db CodeIgniter folder.

Go to autoload.php file, and do the following settings.

In the above snpashot, we have loaded the libraries and helper.

In database.php file, fill your username and database name. Our database name is codeigniter.

Now, we?ll start the example.

We have made file Main.php in application/controllers folder,

<?php
defined('BASEPATH') OR exit('No direct script access allowed');
class Main extends CI_Controller {
public function index()
{
$this->login();
}
public function login()
{
$this->load->view('login_view');
}
public function signin()
{
$this->load->view('signin');
}
public function data()
{
if ($this->session->userdata('currently_logged_in'))
{
$this->load->view('data');
} else {
redirect('Main/invalid');
}
}
public function invalid()
{
$this->load->view('invalid');
}
public function login_action()
{
$this->load->helper('security');
$this->load->library('form_validation');
$this->form_validation->set_rules('username', 'Username:', 'required|trim|xss_clean|callback_validation');
$this->form_validation->set_rules('password', 'Password:', 'required|trim');
if ($this->form_validation->run())
{
$data = array(
'username' => $this->input->post('username'),
'currently_logged_in' => 1
);
$this->session->set_userdata($data);
redirect('Main/data');
}
else {
$this->load->view('login_view');
}
}
public function signin_validation()
{
$this->load->library('form_validation');
$this->form_validation->set_rules('username', 'Username', 'trim|xss_clean|is_unique[signup.username]');
$this->form_validation->set_rules('password', 'Password', 'required|trim');
$this->form_validation->set_rules('cpassword', 'Confirm Password', 'required|trim|matches[password]');
$this->form_validation->set_message('is_unique', 'username already exists');
if ($this->form_validation->run())
{
echo "Welcome, you are logged in.";
}
else {
$this->load->view('signin');
}
}
public function validation()
{
$this->load->model('login_model');
if ($this->login_model->log_in_correctly())
{
return true;
} else {
$this->form_validation->set_message('validation', 'Incorrect username/password.');
return false;
}
}
public function logout()
{
$this->session->sess_destroy();
redirect('Main/login');
}
}
?>

In application/views folder, login_view.php file is made.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Login Page</title>
</head>
<body>
<h1>Login</h1>
<?php
echo form_open('Main/login_action');
echo validation_errors();
echo "<p>Username: ";
echo form_input('username', $this->input->post('username'));
echo "</p>";
echo "<p>Password: ";
echo form_password('password');
echo "</p>";
echo "</p>";
echo form_submit('login_submit', 'Login');
echo "</p>";
echo form_close();
?>
<a href='<?php echo base_url()."index.php/Main/signin"; ?>'>Sign In</a>
</body>
</html>

In application/views folder, data.php file is made.

<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<h1>Welcome, You are successfully logged in.</h1>
<?php
echo "<pre>";
echo print_r($this->session->all_userdata());
echo "</pre>";
?>
<a href='<?php echo base_url()."index.php/Main/logout"; ?>'>Logout</a>
</body>
</html>

In application/views folder, signin.php file is made.

<!DOCTYPE html>
<html>
<head>
<title>Sign Up Page</title>
</head>
<body>
<h1>Sign In</h1>
<?php
echo form_open('Main/signin_validation');
echo validation_errors();
echo "<p>Username:";
echo form_input('email');
echo "</p>";
echo "<p>Password:";
echo form_password('password');
echo "</p>";
echo "<p>Confirm Password:";
echo form_password('cpassword');
echo "</p>";
echo "<p>";
echo form_submit('signin_submit', 'Sign In');
echo "</p>";
echo form_close();
?>
</body>
</html>

In application/views folder, invalid.php file is made.

<!DOCTYPE html>
<html>
<head>
<title>Invalid Page</title>
</head>
<body>
<h1>Sorry, You don't have access to this page.</h1>
<a href='<?php echo base_url()."Main/login"; ?>'>Login Again</a>
</body>
</html>

In application/models folder, login_model.php file is made.

<?php
class Login_model extends CI_Model {
public function log_in_correctly() {
$this->db->where('username', $this->input->post('username'));
$this->db->where('password', $this->input->post('password'));
$query = $this->db->get('signup');
if ($query->num_rows() == 1)
{
return true;
} else {
return false;
}
}
}
?>

On entering the URL, http://localhost/login_db/index.php/Main/

Following page will appear.

Enter the information to Login.

After entering information, click on Login button. We have entered the wrong information and hence it will show the error message as shown below.

On entering the information from database, we' ll be directed to data.php page.

Click on Login button.

Clicking on Logout button, you'll be directed to the Main page.

On clicking Sign In, following page will appear.

Multiprogramming Language Trainer

Friday 6 January 2017