CodeIgniter from Scratch: Security

Burak Guzel on Jun 30th 2010 with 91 comments

Tutorial Details

Topic: CodeIgniter
Difficulty: Moderate
Tut Format: Video

This entry is part 14 of 17 in the CodeIgniter From Scratch Session
« Previous Next »

In this fourteenth episode of the series, our subject is ‘Security.’ We will go over topics such as: password encryption, message encoding/decoding, XSS filtering, output filtering, sql injection, session security, private controller methods and more.

Catch Up

Day 14: Security

Premium Members: Download this Video ( Must be logged in)

Thanks for watching! Any questions/thoughts?

Enjoyed this Post?

Subscribe to our RSS Feed, Follow us on Twitter or simply recommend us to friends and colleagues!

By Burak Guzel

Rollover to read this author's bio or click through to see a full list of posts by this author.

Burak Guzel is a full time PHP Web Developer living in Arizona, originally from Istanbul, Turkey. He has a bachelors degree in Computer Science and Engineering from The Ohio State University. He has over 8 years of experience with PHP and MySQL. You can read more of his articles on his website at PHPandStuff.com and follow him on Twitter here.

Plus Premium

Note: Want to add some source code? Type <pre><code> before it and </code></pre> after it. Find out more

Will
Great tutorial! I really learned a lot. I was wondering if you could do a tutorial on creating an admin area to manage the content of a CodeIgniter application/website. I am having a hard time figuring how to create an admin area without making it a completely separate CodeIgniter project.
http://www.niklasdahlquist.se Niklas
Hi,
Just wanna say that I really like the CodeIgniter tutorials. Please continue with this series please! I´ve been sitting lika a freak in front of the computer the last couple of days and I am on part 13/14 now.

http://www.niklasdahlquist.se Niklas
Jeffrey,
By the way, you asked us to remind you about “Scaffolding” in a previous lesson! :)
/Niklas

http://www.niklasdahlquist.se Niklas
Sorry for spamming, but I am a premium member of tutsplus and I still can´t download this video. I can´t play it on iTunes either, it´s only a white screen.

Myung Ki
Hey Guys ….
Question… ???
Why is it that you guys dont do anymore tuts on codeigniter anymore ????
Is there a particular reason for that….
I really loved those tuts – and i’m sure that others does too…
What will it take for you guys, to do more on codeigniter ???
Sincerely Myung Ki
http://gravityfx.org/ emcgfx
http://blip.tv/file/get/NETTUTS-CodeIgniterFromScratchSecurity696.flv
Tomás
Really nice tutorial, I’ve learned a lot with all the tuts that you’ve made. Thanks a lot!
But I have a question, what is the font that you use in netbeans?
Subrat
When the videos will be uploaded? I do not see any link for video download.
NANY
great tutorial, i’m realy love it.. waiting the next episode…. ci maniac
http://www.absentsolutions.co.za Al-jerreau Davids
Great series, made me fall in love with codeigniter!! You guys did an awesome job
Looking forward to seeing more tuts on codeigniter, maybe a full application build for beginners that want to use code igniter, but doesn’t know how to build a 5 page website with codeigniter
Keep up the good tuts :-)
rospiz
pls fix the video, it’s broken
http://goio.net/ TuxLyn
Day 14 zip file with all the files in this video would be helpful :)
andy91
How about a tutorial on how to protect against packet sniffers/ man in the middle attack. How to use codeigniter with SSL for super secure logins etc…
Nuno Loureiro
I can’t believe you are recommending developers to use md5() or sha1() to store passwords. Having both without a salt is the same as doing nothing, as long as the password is not really long. That is a really bad security practice. Please either recommend developers to use HMAC-SHA256 or +, or PBKDF2.
As for DB access please recommend users to use prepared statements, not mysql_real_escape_string() crap. It’s because of advices like this that I see vulns like: $query = ‘SELECT * from user where userid=”.mysql_real_escape_string($_POST['uid']).’”‘;
Jahanzeb
I second Nuno, these encoding/hashing functions are terrible and then they become widely used, although I would recommend PHPass to hash passwords, WordPress also uses it and it uses Bcrypt.