CodeIgniter from Scratch: Security
videos

CodeIgniter from Scratch: Security

on Jun 30th 2010 with 91 comments
Tutorial Details
  • Topic: CodeIgniter
  • Difficulty: Moderate
  • Tut Format: Video
This entry is part 14 of 17 in the CodeIgniter From Scratch Session
« PreviousNext »

In this fourteenth episode of the series, our subject is ‘Security.’ We will go over topics such as: password encryption, message encoding/decoding, XSS filtering, output filtering, sql injection, session security, private controller methods and more.

Catch Up

Day 14: Security

Premium Members: Download this Video ( Must be logged in)

Thanks for watching! Any questions/thoughts?

 
Enjoyed this Post?

Subscribe to our RSS Feed, Follow us on Twitter or simply recommend us to friends and colleagues!

By

Rollover to read this author's bio or click through to see a full list of posts by this author.

Burak Guzel is a full time PHP Web Developer living in Arizona, originally from Istanbul, Turkey. He has a bachelors degree in Computer Science and Engineering from The Ohio State University. He has over 8 years of experience with PHP and MySQL. You can read more of his articles on his website at PHPandStuff.com and follow him on Twitter here.  

Plus Premium
 
 
Note: Want to add some source code? Type <pre><code> before it and </code></pre> after it. Find out more
Newer Comments
  • http://davekingsnorth.com Dave Kingsnorth

    Great to see this series is back!

  • http://blog.creative-webdesign.info Andi

    Nice, thank you for this tutorial! I like your teaching style.

  • http://macodev.com Marco Cervellin

    Any link to download the movie? Tanks! :)

  • http://macodev.com Marco Cervellin

    Very interesting article, keep up! Any link to download the movie? Tanks! :)

  • http://www.johnadigue.com John Adigue

    Great tuts. Thank you.

  • http://www.thomasv.nl ThomasV

    Yes, Burak is back, with new episodes of Code Igniter :D Have been waiting for this a long time, glad you have some spare time to create these podcasts! Thank you Burak

  • Lawrence Osh.

    i second that…

  • http://freecss.info CSS Templates

    I remember I tried CodeIgniter when it first came out. I must say I had a lot of problems with it. Has it improve much since then?

    • Robert

      Not sure what kind of problems you ran into when you first tried CodeIgniter, but it seems to be pretty solid now. I use it in my projects and find it saves me a lot of time and it is quite easy to learn and use. I would highly recommend it.

    • wip

      try to improve CI by Your own mate! :) CI is really powerful and flexible framework..

      I was coding in clear php+mysql in the past.. and now after changing to CI I cannot imagine how people can handle coding big projects in php from scratch :)

      Every CI coder is establishing some sort of sandbox after some time.. You need to get to that point also, to make it really usefull

    • Johhny Cash*

      LOL, you’re lost man hehehehe

  • Paul du Long

    When I try to watch this video on my iPad I just get a white screen video for 35min.

    • Martin

      Try to convert it to another format/codec

  • http://eyoosuf.com Muhammad Yoosuf

    superb, it goes as a series, love to see its continuously updating

  • http://taylorhutchison.com Taylor Hutchison

    Security was at the top of my wish list! Thanks Burak.

  • http://www.demogar.com demogar

    Nice basic tutorial. The best way to store passwords is by using salted passwords (For example: by having another table in your database with a random string for every user and using it with the password string like $password . $salt) with sha1.

    There are some nice user auth libraries in CI, like Erkana Auth, btw.

    • http://newarts.at Drazen Mokic

      I can really recommend Ion Auth as Authentication Library.

    • Brad

      If your php version is 5+ you can also use “hash(‘sha512′, $this->input->post(‘pass’))” I use that for log ins and storing passwords. Make sure you have at least 130 character space

  • Ronny

    This video in the iTunes feed is just blank for 35 minutes. Might wanna fix that!

    • http://net.tutsplus.com Jeffrey Way

      Thanks, Ronny. I’ll get that fixed ASAP. How strange…

    • Paul du Long

      Same on iPads ;)

  • Ismail Patel

    Just wanted to know, is it possible to encrypt a password with md5 first and then encrypt the md5 string again with sha1 and then store it. That would be like double encryption that would be hard to crack with databases.

    • http://krike.cmstutorials.org krike

      The only way to find out is to try it :) but that should work perfectly

  • Brad

    Excellent tut on a critical issue. Codeigniter does a lot to help you stay secure. Thanks Burak

  • http://vidarvestnes.blogspot.com Vidar Vestnes

    Very nice! I’ve become a big big fan of Nettuts. Specially all the CodeIgniter tutts have been particular interesting for me. Next I’m crossing my fingers and have high hopes that you guys some day will show us how to do effective Unit testing with CodeIgniter.

    Thanks alot for this and all the other tutts!

  • http://eyoosuf.com Muhammad yoosuf

    Burak Guzel, amazing tips and tricks, got a lot thanks alot

  • THAT SOAK

    Very nice tips Burak, Codeigniter XSS Filter allow HTML tags like or ect while users input in my search field.
    how to solve that problem?
    thanks…

  • Tom Van Assche

    Finally, another episode! Thanks you guys.

  • Yassir

    MD5 is very weak it is already been cracked! you might want to use SHA1 which is a little bit better

  • Ronny

    I would rather use private function instead of preceding functions with underscore. The underscore is the old PHP4 way to do it, private function is the new awesome PHP5 way :)

  • http://www.demogar.com demogar

    I have a question: I’ve noticed you were using NetBeans and it was completing your code. I’m not a big fan of IDEs (I use E-TextEditor on Windows, gedit on Ubuntu) but it seems to be very handy in some cases.

    How do you setup the code completion on NetBeans?

    Thank you in advance.

    • Robert

      actually, I believe he is using the Aptana Studio IDE. I personally use NetBeans and find it very useful. Code completion is built into the IDE so there is nothing special that you need to do to get it to work.

      • http://jaimievansanten.nl Jaimie van Santen

        He’s using NetBeans 6.9, which is based on Java (personally dislike any IDE based on Java due to its horrible speed).

        Anyone looking for a decent IDE should check out phpDesigner (http://www.mpsoftware.dk/phpdesigner.php), it’s a godsent and never fails to get the job done. (Windows only).

        P.S, a commercial license costs only €70,- and can be installed on 3 machines).

        P.P.S, Hopefully this wasn’t the last CI tut. Keep them coming! :)

    • http://www.phpandstuff.com Burak Guzel
      Author

      I did in fact use Netbeans (I was using Aptana before).

      I added something like this to the base Controller class doc block (system/libraries/Controller.php):

      * @property CI_Loader $load
      * @property CI_Form_validation $form_validation
      * @property CI_Input $input
      * @property CI_DB_active_record $db
      * @property CI_Session $session
      * @property CI_Encrypt $encrypt

      You can add more for other libraries.

      • http://www.demogar.com demogar

        Thank you for your support ;) I’ll give it a try soon.

    • Robert

      oops, my bad, you are right he is using NetBeans. I’m used to seeing him use Aptana that I didn’t even realize it.

    • http://www.taloco.com.br/site Brayan

      Great tutorial :D

      One question (OFF): wich profile do you use in NetBeans?

      by profile I mean the sintax and background colors of the editor

      or you edit the colors by yourself ?

      thanks ;)

      • http://www.phpandstuff.com/ Burak
        Author

        I adjusted manually

  • http://www.theartforums.co.uk Rory C

    Hey, great tutorial Burak. The CodeIgniter series has been incredible, and it’s good to see that you’re keeping it up.

    One thing that I miss from Jeffery’s tuts is the option to download source code? It’s no biggie, but sometimes being able to take a quick look at the code is quicker than finding a point in a video.

    As I say though, great to see this carried on!

  • http://www.webtasarimsitesi.com ertan

    great video. thanks for tutorial Burak.

  • Julio

    Tks Burak !! great stuff! keep doing this very nice tuts!

    @Ronny I think that the CI guys should encourage the PHP5 way in the next releases..
    @demogar thats why I chose Netbeans as my default IDE. amazing code completion!
    @Jaimie van Santen NetBeans runs fine here on my Ubuntu. and so does Eclipse .. but anyway, I’ll take a look on phpDesigner. (oh, Windows only… pass) ;)

  • nuc lear

    This series good to learn about CodeIgniter.Thanks Burak and netTuts.

  • Carlos

    Yeeeah!

    CI series is still alive, thankyou Burak.

  • http://brianswebdesign.com Brian Temecula

    I’m pretty happy with CI. This video shows great examples of why CI is so great for php development.

  • Andy

    I was always waiting for this & yeah Burak is back with the series again :)
    Loved the tutorial. Thanks man.

  • david

    how come screencasts 11 and 12 are not available in iTunes?

  • Khalil

    I was also waiting for this CI series again (Please don’t stop it) specially for Security Features in CI.

    This is very great for me.

    Thank you Burak Guzel.

  • Kuboslav

    Thank’s a lot Burak for another part of CI series :-)

  • Natrium

    thanx for this! And keep ‘em comming!

  • http://beperceived.com Chris Schmitz

    Probably the most important CI tut yet. Thanks for all the great tuts in this series!

  • Greg

    So glad to have this serie back alive, I’ve been working on this website using codeigniter for 6 months now and everytime i watch those tutorials I have to redo some parts as I was doing i wrong.

    Thanks a lot! Hope to see more!

  • David Jelks

    First of all thanks Burak for another wonderful tutorial. For those who are asking for a way to encrypt there password using salt and SHA1, here is a unique way.

    Make a salt using the time() function:
    $salt = time(); //This would create a salt using the current timestamp

    Then encrypt the salt and password using SHA1:
    $password = sha1($password.$salt);

    Now an unsavory character will have to not only guess the password, but the exact time that a user registered; with 86,400 values for the salt, that would be a pretty monumental task.

    Also, they would still have to figure out the password.

    Hope this helps.

    @Jeffery Way: I am very pleased to be a member of this community. Please keep up the good work. I actually was a procedural coder until I started checking your codeigniter tuts out. I will not ever go back to procedural. Not that there is anything wrong with procedural but it is just not for me anymore!!!!

    Cheers!

    • http://www.jeffrey-way.com Jeffrey Way

      That’s great, David. Glad to hear it. :)

    • http://milesj.me Miles Johnson

      This is a really bad way to do it.

      If you save the password in the DB while using a time(), then how are you going to match that password when they try to login? When they login, the time() in the login will be different than the time when they signed up. You either have to ditch time() or store the salted time() somewhere in the database.

      • http://axelnorvell.com Axel

        You store the time that the user registered (which is a pretty common thing to do)

        Then when the user posts their password to your site, you take it and run it against the time they registered (retrieved from the database) and then compare it to the encrypted password string.

  • http://ramil-yabbarov.blogspot.com RA T.J.

    CI 2.0 & Yii themes may be very interesting…

  • erminio ottone

    Great tutorial as always :) thanks :)

    So you swtiched your IDE, you think netbeans is now somehow better than aptana? did you had a chance to try the new Aptana Studio 3.0 (now in beta –> http://bit.ly/afk4Lr ) ?

    • http://www.phpandstuff.com/ Burak
      Author

      I really liked Aptana and the old PHP plugin they had. But they stopped working on it, in favor of focusing on RoR.

      They make you use the PDT Eclipse plugin, which didn’t feel good enough (not sure if they improved it lately).

      Also, old Aptana PHP plugin does not support new PHP5.3 stuff. That’s why I am in the search to find my new favorite IDE.

      I’m still unsure about Netbeans, I don’t know if I will settle with it.

      Do you think Aptana 3 is still a good IDE for PHP?

      • erminio ottone

        Didn’t tried studio 3, i’m using studio 2 and is so buggy that i’m not gonna try a beta release, i’m wating for finale release or some other IDE.

  • Shiro

    Thanks Burak for your interest tutorial.

    I also just switched to NetBeans not long ago. I think we should vote for the framework implementation in Netbeans. https://netbeans.org/bugzilla/show_bug.cgi?id=146036

    One thing I not really comfort with NB 6.9, they still haven’t fix, after save cannot redo back the action. This is really frustrated.

    BTW I find out one thing about CodeIgniter pronunciation. How do your guys pronounce it?
    1. Co- deIg- ni- te (like Burak pronounce it)
    2. Code- Ig- ni- te

  • Someone

    If you’re not on an ancient server and have MySQL5+ you shouldn’t really be bothering with SQL escaping, you should be using prepared statements as much as possible, it’s easier for developers and better security.

    A simple sha1/md5 hash is pretty useless and it’s just going to take a couple of seconds to crack most passwords.

    Every password should have a unique salt, once you have created a hash with your salt you should start with key stretching which is basically looping your hash algorithm.
    This will prevent the use of precomputed hash tables and make brute force attacks a lot harder.

  • http://www.webmasterdubai.com umefarooq

    really nice tutorial im big fan of CI, and developing my project in CI more than 2 years now, i like you netbeans editor theme can you share this theme try netbeas 6.9 really improved for PHP support

  • http://www.bienestar-integral.com Sergio

    Some time ago I ran into a post that talks -among other things- about password security.

    http://stackoverflow.com/questions/346980/what-code-igniter-authentication-library-is-best

    As a result of downloading and looking into Tank Auth I ended up discovering the Portable PHP password hashing framework

    http://www.openwall.com/phpass/

    Someone said that “a simple sha1/md5 hash is pretty useless and it’s just going to take a couple of seconds to crack most passwords”.

    Brad mentions hash(‘sha512′, $this->input->post(‘pass’)) as an alternative.

    Does anyone out there have any experience or comment about the portable PHP password hashing framework?

    • Someone

      No matter what algorithm you use it will always be easy to crack unless you salt it, due to all the rainbow tables.

      The phpass is good for developers since it takes care of the salting, hashing and key stretching for you, but try to make sure you have CRYPT_BLOWFISH on your system for the best result with phpass.

      You want the time it takes to create your hash to be as long as possible, time is your main defense against brute force attacks.

  • http://biznesguide.ru ivan

    Very nice! Thank you!

  • http://bob.web.id bakazero

    Finally, after waiting a long time, the series is back. thank you Burak.
    Btw, did you mention some security patch for codeigniter 1.7.2 in this screencast?

    (Sorry I haven’t see this video-tutorial yet)
    I think it’s really usefull information for the programmer to know too…

  • modo

    nice tutorial, thanks.
    another tip if you use the zend folder structure format with the codigniter framework with /application /system /public_html where public_html is the webfolder and system and application are out of the webfolder /public_html contain the index.php , /css / js …. folders…
    hope it help somebody.
    thank you again.

  • http://www.maorb.info Maor

    Great tutorials for cI! thanks.

    Will be a chapter for using templating via CI as well?

    Thanks

  • Sastrajingga

    Is there anyone can help me to give me the video’s link?
    I really need it and thanks before for help….

  • http://vampa.org Alex Stomp

    Alright.. I got through half of these today, and I’m learning so much. What I would just love for the next topic is a commenting system.

    Sorry if you talk about that in a later vid, but again, I’ve only been through about half of them.

  • DynamiteN

    Hi love the CI series , they are very helpful for me, sometimes i even re-read some of the posts just cause im bored, just to hope that the info will stay between the ears :)

    anyway i was wondering, if u couldnt do tut where u use MatchBox or something similar (exstension, modules)

    hopefully how to go about with doing a smaller site with members and such … and show different appraoches on how to do it

    (sorry for any misspelling )

    //DynamiteN

  • walter

    It would be great to have a tutorial about $_GET variables and ‘Segments’ working together. It seems that this is generating a lot of discussion out there. http://codeigniter.com/forums/viewthread/159382/P15/#768040

    I’m working in a application which is linked to a external credit card processing services provider whose callback function only provides a response via $_GET.

    I think there could be many more in this situation and a tut about this could be very popular.

Newer Comments