Security

Turn of PHP error reporting

In production environments (when going live), it is typically desirable to disable PHP's error reporting by setting the internal error_reporting flag to a value of 0. This disables native PHP errors from being rendered as output, which may potentially contain sensitive information.

Setting CodeIgniter's ENVIRONMENT constant in index.php to a value of 'production' will turn off these errors. In development mode, it is recommended that a value of 'development' is used.

define('ENVIRONMENT', 'production');

I like to use the code below so that when I'm online PHP's error reporting is off and when I work locally it is on.

if (stristr($_SERVER['HTTP_HOST'], 'local') || (substr($_SERVER['HTTP_HOST'], 0, 7) == '192.168'))
{
    // echo 'local';
    define('ENVIRONMENT', 'development');
} else
{
    // echo 'online';
    define('ENVIRONMENT', 'production');
}

Turn of database errors

The PHP errors are off, but any MySQL errors are still going to show. Turn these off in the /config/database.php file. Set the db_debug option to false:

$db['default']['db_debug'] = FALSE;

SQL injections

Using CI’s Active Record should take care of this problem.

Disable directory browsing

Add the following line in the htaccess file in the root folder:

Options -Indexes

User authentication

I highly recommend Ion Auth, it’s very well written and probably alot better than you’d write on your first try.

Learning Resources

  • Check out these great advices article in codeIgniter forum.

Post A Comment

Anti-Spam Quiz: