CI_Security Class Reference

CI_Security class has some inbuilt security functions which are very helpful to secure our application from hackers. Some of them are listed below:

Related Topics:

Codeigniter Interview Questions

Security in Codeigniter

Adding JS and CSS in Codeigniter

CI_Security class reference

1 xss_clean(): This function is used to remove XSS (cross-site scripting) exploits from the input data and returns the cleaned string. If the second parameter optional is set to true, it will return boolean values. It returns TRUE if the image is safe to use and FALSE if malicious data was detected in it.

Syntax:

xss_clean($str[, $is_image = FALSE]);

Parameter description:

• $str (mixed) – Input string or an array of strings

The return type of this function is mixed and it will return XSS-clean data.

Note:

To filter HTML attributes value, use html_escape() function.

2 sanitize_filename(): This method is used to sanitize forms input filenames in order to prevent directory traversal attempts and other security threats.

Syntax:

sanitize_filename($str[, $relative_path = FALSE]);

Parameter description:

• $str (string) – File name/path
• $relative_path (bool) – Whether to preserve any directories in the file path

The return type of this function is string and it will return Sanitized file name or path.

3 get_csrf_token_name(): This function is used to get CSRF (Cross-Site Request Forgery) token name (the $config['csrf_token_name'] value).

Syntax:

get_csrf_token_name();

The return type of this function is string and it will return CSRF token name.

4 get_csrf_hash(): This function is used to the CSRF hash value. It is very useful for building forms manually or sending valid AJAX POST requests.

Syntax:

get_csrf_hash();

The return type of this function is string and it will return CSRF hash.

5 entity_decode(): This function is work like PHP native function html_entity_decode() in ENT_COMPAT mode. This function is used to detect HTML entities that don’t end in a semicolon because some browsers allow that.

Syntax:

entity_decode($str[, $charset = NULL]);

Parameter description:

• $str (string) – Input string
• $charset (string) – Character set of the input string

If the $charset parameter is left empty, then value configured by user in application/config/config.php under $config['charset'] will be used.

The return type of this function is string and it will return an Entity-decoded string.

6 get_random_bytes(): This function is used to get proper random bytes via mcrypt_create_iv(), /dev/urandom or openssl_random_pseudo_bytes() (in that order), if one of them is available. It is also generate CSRF and XSS tokens.

Syntax:

get_random_bytes($length);

Parameter description:

• $length (int) – Output length

The return type of this function is string and it will return a binary stream of random bytes or FALSE on failure.