what is CSRF?

XSS Prevention

XSS means cross-site scripting. CodeIgniter comes with XSS filtering security. This filter will prevent any malicious JavaScript code or any other code that attempts to hijack cookie and do malicious activities.

SQL Injection

The method returns NULL if the item you are attempting to retrieve does not exist.
The second optional parameter lets you run the data through the XSS filter.
It’s enabled by setting the second parameter to boolean TRUE or by setting your $config['global_xss_filtering'] to TRUE.
$this->input->post('some_data', TRUE);

To return an array of all POST items call without any parameters.
To return all POST items and pass them through the XSS filter set the first parameter NULL while setting the second parameter to boolean TRUE.
$this->input->post(NULL, TRUE); // returns all POST items with XSS filter
$this->input->post(NULL, FALSE); // returns all POST items without XSS filter
To return an array of multiple POST parameters, pass all the required keys as an array.
$this->input->post(array('field1', 'field2'));

CSRF Prevention

Cross Site Request Forgery token is a hash string which will include with each form request and form submission. and will checked with already saved token in cookie/session. if your both value matched it will accept your request else request will be decline. in codeigniter Cross Site Request Forgery token value adding in hidden input field and send with POST requests.

In codeigniter 2 Cross Site Request Forgery (CSRF or XSRF) protection is inbuilt feature. We need to just change the config variable in config file to use csrf protection. once you have enabled csrf protection your all forms has been secured. Now your codeigniter application forms POST requests has been secured using csrf token.

Enable CSRF protection in codeigniter :-

To enable CSRF protection in codeigniter application go to “application/config/config.php” and search for CSRF settings.

you can also change the name settings then you will get csrf token value with given names.

Use csrf token :-

1. Form helper :- codeigniter have it’s own classes and function to make a form and fields. so just need to include form helper class. there are more ways to include form helper class 1. By direct call in controller:- add below code to your controller function it will load form helper class to only this view.
$this->load->helper('form');

2. By autoload :- for this go to “application/config/autoload.php” and add form helper to $autoload[‘helper’] array .this will include form helper class to whole codeigniter application.
$autoload['helper'] = array('form');

After load form helper class we will use form_open() function to make a form on view:-

now save this file do a browser inspect element or view source code of form. Using form helper auto added an input field to form with a random or hash token value to prevent CSRF like below.

2. Manually :- if you don’t want to use form_open() function to make form you can add directly an input field with security class function to make CSRF token in codeigniter like below

Now you have done with secure codeigniter application using csrf token.

Using with ajax call :-

Now when csrf protection is on you will get “500 internal server” when posting data with ajax call. so for this we need to send csrf token also with ajax request. so let’s see how to send csrf token with ajax call and secure codeigniter application using csrf token on ajax call.

Now after update this code make a ajax call and you get a success response. so now you are done with secure codeigniter application using csrf token on basic forms and on ajax call.

Previous Next