MySQL Injection Stop:

First escape variables from login form and then enter into database

Example

<?php
$con=mysqli_connect("localhost","my_user","my_password","my_db");

// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

// escape variables for security

$firstname = mysqli_real_escape_string($con, $_POST['firstname']);
$lastname = mysqli_real_escape_string($con, $_POST['lastname']);
$age = mysqli_real_escape_string($con, $_POST['age']);

$sql="INSERT INTO Persons (FirstName, LastName, Age)

VALUES ('$firstname', '$lastname', '$age')";

if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
echo "1 record added";

mysqli_close($con);
?>

Codeigniter $con (How to get):

$db = (array)get_instance()->db;
$con = mysqli_connect('localhost', $db['username'], $db['password'],
$db['database']);

Storing Passwords

There are two separate yet related methods for storing password information. One way is to
encrypt them. Another is to hash them. Both encrypting and hashing information turn a normal
string into gobbledygook. The principle difference between them, other than the technogeekish
details, is that the encrypted information can be decrypted, whereas hashed information cannot
be unhashed. On the Web, hashing is usually used.
There are a variety of hashing algorithms out there. PHP supports several dozen of them. The
most popular hashing algorithms are MD5 and SHA. MD5 is not as strong as SHA and I don’t
recommend it. I recommend versions from the SHA2 family that have two functions: SHA-256
and SHA-512.

A one-way hash makes it a little more difficult to hack a password but not impossible. It might
not be easy, but it could be done with sufficient resources.

A good way to increase your security is to add a salt to your passwords. A salt is a string of
characters that are added to a string prior to hashing it. You can add the salt to the string at the
beginning, end, or some point in the middle of the string.

A salt is a string of characters that are added to a string prior to hashing it.

There are many theories about how to effectively salt passwords. The most secure way is to use a
different salt for each password. When you save a password, generate a salt using any one of a number
of methods. A simple method is to salt with a newly generated UUID (you could theoretically salt with
the ID on the user record and kill two birds with one stone). You add the salt to the user password, hash
it, and then store it. If you are using a different salt with every user, you need to store the salt in the
database too.

1-generate UUID(universily unique id):

The sprintf() function writes a formatted string to a variable.

<?php
$number = 9;
$str = "Beijing";
$txt = sprintf("There are %u million bicycles in %s.",$number,$str);
echo $txt;
?>
UUID Generator:
function gen_uuid() {
return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
// 32 bits for "time_low"
mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ),

// 16 bits for "time_mid"

mt_rand( 0, 0xffff ),

// 16 bits for "time_hi_and_version",

// four most significant bits holds version number 4
mt_rand( 0, 0x0fff ) | 0x4000,

// 16 bits, 8 bits for "clk_seq_hi_res",

// 8 bits for "clk_seq_low",
// two most significant bits holds zero and one for variant DCE1.1
mt_rand( 0, 0x3fff ) | 0x8000,
 // 48 bits for "node"
mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff )
);
}
2-adding salt:

According to MySQL, AES encryption (Advanced Encryption Standard) is the best method
available for providing reversible encryption and decryption in SQL.

Formerly known as Rijndael, the AES_ENCRYPT and AES_DECRYPT functions are now built-in to
MySQL so you can take user data, encrypt it with a salt, store it in your database, then extract it
again later and decrypt it.

Define your salt

You'll need to apply a salt to the data that you encrypt. This is a special code that the encryption
algorithm uses which works a bit like a key.

You'll need to provide the exact same key back to decrypt the data, and if an attacker should gain
access to your database, they won't be able to decipher it without knowing the salt.

If you define your salt in PHP like this, you'll be able to pull the constant into your SQL
statements more easily.

if(!define('SALT')) define('SALT','897sdn9j98u98jk');

To insert data into your MySQL database and encrypt the sensitive information, you'll need to
issue a command like this, along with your salt.

INSERT INTO your_table (username,email,shoe size) VALUES ('$username',

AES_ENCRYPT('$email','".SALT."'), AES_ENCRYPT('$shoesize','".SALT."'));

This will insert the username in plain text, as it's non-sensitive, but encrypt the user's email and
shoesize, to prevent them from being viewed without access to the salt.

At some point, you're going to need to access some of the data you stored in its encrypted form,
and you can do this very easily using the AES_DECRYPT function of MySQL and the same salt
you used when you encrypted the data and inserted it.

SELECT username, AES_DECRYPT(email,'".SALT."') AS email,

AES_DECRYPT(shoesize,'".SALT."') AS shoesize FROM your_table WHERE username
='fred';

If you SELECT the encrypted data without running it through AES_DECRYPT or with the
wrong or no salt, you'll get an ugly, unreadable string of odd characters. This means if an
attacker manages to access your database, but does not have access to your server to view the
salt, they won't be able to read any of the data you've stored. At least, not without going to great
lengths to try and decrypt the data.
Updating encrypted records is very similar to insertion. Basically, you just apply the same salt
and re-issue the AES_ENCRYPT command to re-encrypt the data again and lock it away safely.

UPDATE your_table SET email = AES_ENCRYPT('$email','".SALT."'), shoesize =

AES_ENCRYPT('$shoesize','".SALT."') WHERE username= 'fred';

Searching encrypted data using both AES_ENCRYPT and AES_DECRYPT

Things get a little bit more complicated when you need to search for data that's encrypted and
then display it in its unencrypted form.

Say you wanted to search for a user using their email address, but you'd encrypted that in the
database. First, you'd need to encrypt the email address you want to search for with
AES_ENCRYPT and your salt, and then you'd need to use AES_DECRYPT to ensure that
MySQL decrypted it, returning it in a readable format.

You can achieve this, using code a bit like this:

SELECT user_username, AES_DECRYPT(email,'".SALT."') AS email,

AES_DECRYPT(shoesize,'".SALT."') AS shoesize FROM your_table WHERE (email =
AES_ENCRYPT('$q','".SALT."'));

For further informations, please see this link:

http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html

Comparing Passwords

Comparing passwords is slightly trickier when storing them in hashed format. Because you
cannot unhash the passwords, the only way to compare a password entered at login to the stored
password in the database is to salt and hash the entered password and then compare it to the
stored value.

3-hashing value: SHA-256

$cemail = $_POST["cemail"];
$salt = (fetch salt value)

$cpassword = hash("SHA256",
$salt.$_POST['cpassword']);
Also

A one-way hash makes it a little more difficult to hack a password but not impossible
Hashing uri segments:

Method 1:

The _uriencode() and _uridecode() Functions

As you will see later on in the code, there are times when it is necessary to pass information on
the URL that you don’t want a user to see. For example, if you are sending through the ID of a
row, you can keep that information to yourself. In those cases, encrypt the URI segment that has
that information.

Here’s the code for those two functions:

function _uriencode($tcURI){
$encoded = base64_encode($this->encrypt->
encode($tcURI));
return $encoded;
}

function _uridecode($tcEncoded){
$decoded = $this->encrypt->
decode(base64_decode($tcEncoded));
return $decoded;
}

Use:
$ci->_uriencode($row['id']); replace your $row['id'] with your variable

You may recall entering an encryption key in config.php. It was intended, at the very least, for
sessions. If you want to use encryption in CodeIgniter as I do here, you have to go a little further
in your config file.

In config.php, there is a setting called permitted_uri_characters. Note what characters are

allowed by default:

'a-z 0-9~%.:_\-';

The slash in the string of allowed characters is a problem. If you have a / in a URI, it is
interpreted as the end of the segment. You need to remove that slash from the list of allowed
characters so that your encrypted URI segments work properly. Here’s what the modified config
line looks like:

$config['permitted_uri_chars'] =
'+=\a-z 0-9~%.:_-';

Method 2:
First of all , you should encrypt your string as usual , then you add one step to eliminate bad
characters inside your encrypted string which are :

‘+’, ‘/’, ‘=’

You should replace these characters with some other special characters that will not effect the
browser logic in loading pages .

Here is an example :

1</pre>
2this->load->library('encrypt');
$enc_username=$this->encrypt->encode($username);
3$enc_username=str_replace(array('+', '/', '='), array('-', '_', '~'),
4$enc_username);
5<pre>

In this example we replaced + , / , = characters with – , _ , ~

To decode this string I’ve used this code :

1</pre>
2$this->load->library('encrypt');
$dec_username=str_replace(array('-', '_', '~'), array('+', '/', '='),
3$enc_username);
4$dec_username=$this->encrypt->decode($dec_username);
5<pre>

Autoloading a Model

There’s one last piece to cover before I can go into setupadmin(). If you look at the code to
setupadmin that is part of Listing 1, you will notice that the first bit of code immediately calls
users_model (Listing 3) without loading it.

You can autoload models by modifying the autoload.php configuration file but I don’t do that for
models that are specific to a particular set of controllers. Users_model is only relevant within the
users controller so I only want to load it when I am using controllers within users.php.
Fortunately, there is another way to autoload the model when running within users.php: put the
load code in the constructor. Since the constructor always runs when the class is instantiated,
putting a standard $this->load->model call in the constructor covers any method in the class.

Advertisement

Here’s the code:

function __construct(){
parent::__construct();
$this->load->model("users_model");
}

XSS Filtering(Input class and security class)

Changes in config file:

Global XSS Filtering

|--------------------------------------------------------------------------

| Determines whether the XSS filter is always active when GET, POST or

| COOKIE data is encountered

| WARNING: This feature is DEPRECATED and currently available only

| for backwards compatibility purposes!

*/

$config['global_xss_filtering'] = TRUE;

The Input class has the ability to filter input automatically to prevent cross-site scripting attacks.
If you want the filter to run automatically every time it encounters POST or COOKIE data you
can enable it by opening your application/config/config.php file and setting this:

$config['global_xss_filtering'] = TRUE;

CodeIgniter comes with a Cross Site Scripting prevention filter, which looks for commonly used
techniques to trigger JavaScript or other types of code that attempt to hijack cookies or do other
malicious things. If anything disallowed is encountered it is rendered safe by converting the data
to character entities.
To filter data through the XSS filter use the xss_clean() method:

function __construct(){
parent::__construct();
$this->load->helper('security');
}

$data = $this->security->xss_clean($data);

An optional second parameter, is_image, allows this function to be used to test images for
potential XSS attacks, useful for file upload security. When this second parameter is set to
TRUE, instead of returning an altered string, the function returns TRUE if the image is safe, and
FALSE if it contained potentially malicious information that a browser may attempt to execute.

if ($this->security->xss_clean($file, TRUE) === FALSE)

{
// file failed the XSS test

Important

If you want to filter HTML attribute values, use html_escape() instead!

Security class:

Class Reference
class CI_Security

xss_clean($str[, $is_image = FALSE])

Parameters:  $str (mixed) – Input string or an array of strings

Returns: XSS-clean data

Return type: mixed

Tries to remove XSS exploits from the input data and returns the cleaned string. If the
optional second parameter is set to true, it will return boolean TRUE if the image is safe
to use and FALSE if malicious data was detected in it.

Important

This method is not suitable for filtering HTML attribute values! Use html_escape() for
that instead.

sanitize_filename($str[, $relative_path = FALSE])

  $str (string) – File name/path
Parameters:  $relative_path (bool) – Whether to preserve any directories in the file
path

Returns: Sanitized file name/path

Return type: string

Tries to sanitize filenames in order to prevent directory traversal attempts and other
security threats, which is particularly useful for files that were supplied via user input.

$filename = $this->security->sanitize_filename($this->input-
>post('filename'));

If it is acceptable for the user input to include relative paths, e.g.

file/in/some/approved/folder.txt, you can set the second optional parameter,
$relative_path to TRUE.

$filename = $this->security->sanitize_filename($this->input-
>post('filename'), TRUE);

More: (stack overflow)

Especially it dependes on where the input goes. If you're concerned about XSS attacks, you
could pass a TRUE as second paramether and have the XSS filter be applied to that input (but
beware as the operation is quite costrly in term of resources, so don't use wildly)

$this->input->post('name', TRUE)

Read more on Input class on the USer Manual.

If the input is going into the database, than you either escape it manually with $this->db-
>escape() (and its other cousins), or you use query bindings or, for the sake of speed and
simplicity, you can rely to the Active Record Class which automatically escapes all dats entering
the query.
(this if you don't want to use your custom escaping, with mysql_real_escape_string, or the
mysqli_ and PDO prepared statements)

Input Class:
The second optional parameter lets you run the data through the XSS filter. It’s enabled by
setting the second parameter to boolean TRUE or by setting your $config['global_xss_filtering']
to TRUE.

$this->input->post('some_data', TRUE);

To return an array of all POST items call without any parameters.

To return all POST items and pass them through the XSS filter set the first parameter NULL
while setting the second parameter to boolean TRUE.

$this->input->post(NULL, TRUE); // returns all POST items with XSS filter

$this->input->post(NULL, FALSE); // returns all POST items without XSS filter

To return an array of multiple POST parameters, pass all the required keys as an array.

$this->input->post(array('field1', 'field2'));

Same rule applied here, to retrieve the parameters with XSS filtering enabled, set the second
parameter to boolean TRUE.

$this->input->post(array('field1', 'field2'), TRUE);

Security class:
Class Reference
class CI_Security

xss_clean($str[, $is_image = FALSE])

Parameters:  $str (mixed) – Input string or an array of strings

Returns: XSS-clean data

Return type: mixed

Tries to remove XSS exploits from the input data and returns the cleaned string. If the
optional second parameter is set to true, it will return boolean TRUE if the image is safe
to use and FALSE if malicious data was detected in it.

Important

This method is not suitable for filtering HTML attribute values! Use html_escape() for
that instead.

sanitize_filename($str[, $relative_path = FALSE])

  $str (string) – File name/path
Parameters:  $relative_path (bool) – Whether to preserve any directories in the file
path

Returns: Sanitized file name/path

Return type: string

Tries to sanitize filenames in order to prevent directory traversal attempts and other
security threats, which is particularly useful for files that were supplied via user input.

$filename = $this->security->sanitize_filename($this->input-
>post('filename'));

If it is acceptable for the user input to include relative paths, e.g.

file/in/some/approved/folder.txt, you can set the second optional parameter,
$relative_path to TRUE.

$filename = $this->security->sanitize_filename($this->input-
>post('filename'), TRUE);

Cross-site request forgery (CSRF)

You can enable CSRF protection by altering your application/config/config.php file in the
following way:

$config['csrf_protection'] = TRUE;

If you use the form helper, then form_open() will automatically insert a hidden csrf field in your
forms.

Cross-site request forgery (CSRF)

You can enable CSRF protection by altering your application/config/config.php file in the
following way:

$config['csrf_protection'] = TRUE;

If you use the form helper, then form_open() will automatically insert a hidden csrf field in your
forms. If not, then you can use get_csrf_token_name() and get_csrf_hash()
$csrf = array(
'name' => $this->security->get_csrf_token_name(),
'hash' => $this->security->get_csrf_hash()
);

...

<input type="hidden" name="<?=$csrf['name'];?>" value="<?=$csrf['hash'];?>"

/>

Tokens may be either regenerated on every submission (default) or kept the same throughout the
life of the CSRF cookie. The default regeneration of tokens provides stricter security, but may
result in usability concerns as other tokens become invalid (back/forward navigation, multiple
tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following
config parameter

$config['csrf_regenerate'] = TRUE;

Tokens may be either regenerated on every submission (default) or kept the same throughout the
life of the CSRF cookie. The default regeneration of tokens provides stricter security, but may
result in usability concerns as other tokens become invalid (back/forward navigation, multiple
tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following
config parameter

$config['csrf_regenerate'] = TRUE;

Select URIs can be whitelisted from csrf protection (for example API endpoints expecting
externally POSTed content). You can add these URIs by editing the ‘csrf_exclude_uris’ config
parameter:

$config['csrf_exclude_uris'] = array('api/person/add');

Regular expressions are also supported (case-insensitive):

$config['csrf_exclude_uris'] = array(
'api/record/[0-9]+',
'api/title/[a-z]+'
);
Default Config file settings:
/*
|---------------------------------------------------------------
-----------
| Cross Site Request Forgery
|---------------------------------------------------------------
-----------
| Enables a CSRF cookie token to be set. When set to TRUE, token
will be
| checked on a submitted form. If you are accepting user data,
it is strongly
| recommended CSRF protection be enabled.
|
| 'csrf_token_name' = The token name
| 'csrf_cookie_name' = The cookie name
| 'csrf_expire' = The number in seconds the token should expire.
| 'csrf_regenerate' = Regenerate token on every submission
| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
*/
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_tk_name';
$config['csrf_cookie_name'] = 'csrf_ck_name';
$config['csrf_expire'] = 60;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();

/*

Most sensitive data: encrypt by this method

and store in database
Also use
for passing variables from one page to another

1- $this->load->library('encryption');

By default, the Encryption Library will use the AES-128 cipher in CBC mode, using your
configured encryption_key and SHA512 HMAC authentication.

Note
AES-128 is chosen both because it is proven to be strong and because of its wide
availability across different cryptographic software and programming languages’ APIs.

2- Setting your encryption_key

In order to create a proper key, you must use the Encryption library’s create_key() method

// $key will be assigned a 16-byte (128-bit) random key

$key = $this->encryption->create_key(16);

The key can be either stored in your application/config/config.php, or you can design your own
storage mechanism and pass the key dynamically when encrypting/decrypting.
To save your key to your application/config/config.php, open the file and set:

$config['encryption_key'] = 'YOUR KEY';

You’ll notice that the create_key() method outputs binary data, which is hard to deal with (i.e. a
copy-paste may damage it), so you may use bin2hex(), hex2bin() or Base64-encoding to work
with the key in a more friendly manner. For example:

// Get a hex-encoded representation of the key:

$key = bin2hex($this->encryption->create_key(16));

// Put the same value in your config with hex2bin(),

// so that it is still passed as binary to the library:
$config['encryption_key'] = hex2bin(<your hex-encoded key>);

3- If you wish to change that driver settings and more, you need to use the initialize()
method. It accepts an associative array of parameters, all of which are optional:

Option Possible values

driver ‘mcrypt’, ‘openssl’
cipher Cipher name (see Supported encryption ciphers and modes)
mode Encryption mode (see Encryption modes)
key Encryption key

For example, if you were to change the encryption algorithm and mode to AES-256 in CTR
mode, this is what you should do:

$this->encryption->initialize(
array(
'cipher' => 'aes-128',
'mode' => 'cbc',
'key' => '<a 32-character random string>'
)
);

Note that we only mentioned that you want to change the ciper and mode, but we also included a
key in the example. As previously noted, it is important that you choose a key with a proper size
for the used algorithm.

There’s also the ability to change the driver, if for some reason you have both, but want to use
MCrypt instead of OpenSSL:

// Switch to the MCrypt driver

$this->encryption->initialize(array('driver' => 'mcrypt'));

// Switch back to the OpenSSL driver

$this->encryption->initialize(array('driver' => 'openssl'));
 All Operation:

function __construct(){
parent::__construct();
$this->load->library('encryption'); //for database storage encryption

$key = bin2hex($this->encryption->create_key(16));

$this->encryption->initialize(
array(
'cipher' => 'aes-128',
'mode' => 'cbc',
'key' => ' hex2bin(<your hex-encoded key>)'
)
);
$this->encryption->initialize(array('driver' => 'openssl'));

}
Encrypton and Decryption:
$plain_text = 'This is a plain-text message!';
$ciphertext = $this->encryption->encrypt($plain_text);

// Outputs: This is a plain-text message!

echo $this->encryption->decrypt($ciphertext);

Image Security:

XSS Filtering

CodeIgniter comes with a Cross Site Scripting prevention filter, which looks for commonly used
techniques to trigger JavaScript or other types of code that attempt to hijack cookies or do other
malicious things. If anything disallowed is encountered it is rendered safe by converting the data
to character entities.

To filter data through the XSS filter use the xss_clean() method:

$data = $this->security->xss_clean($data);

An optional second parameter, is_image, allows this function to be used to test images for
potential XSS attacks, useful for file upload security. When this second parameter is set to
TRUE, instead of returning an altered string, the function returns TRUE if the image is safe, and
FALSE if it contained potentially malicious information that a browser may attempt to execute.

if ($this->security->xss_clean($file, TRUE) === FALSE)

{
// file failed the XSS test
}

File Security:

sanitize_filename($str[, $relative_path = FALSE])

 $str (string) – File name/path
 $relative_path (bool) – Whether to preserve any directories in the
Parameters:
file path

Returns: Sanitized file name/path

Return
string
type:

Tries to sanitize filenames in order to prevent directory traversal attempts and other
security threats, which is particularly useful for files that were supplied via user input.

$filename = $this->security->sanitize_filename($this->input-
>post('filename'));

If it is acceptable for the user input to include relative paths, e.g.

file/in/some/approved/folder.txt, you can set the second optional parameter,
$relative_path to TRUE.

$filename = $this->security->sanitize_filename($this->input-
>post('filename'), TRUE);

Session security:
sessions are stored in session cookie.
If in config file 'sess_encrypt_cookie' option is given(in some
versions it is not given)

From stack overflow:

Using CodeIgniter sessions with database is going to be fairly secure. You just don't have to
trust the input that the user gives. Even if you are using AJAX, the CodeIgniter session will work
just like any standard call, so the same security goes on.
What happens with the CodeIgniter session is that the server stores the cookie, and every time
the user does an action that would change the content of the cookie, it is first compared to the
previous cookie.

If the user changes the content of the session cookie in the browser, CodeIgniter will notice on
the next server call, and create a new session for the user, basically logging him out.

CodeIgniter doesn't really need the data stored in the cookie in the user's browser, and as long as
you're using

$this->session->userdata('userid');

you're going to get trusted server-side data. The user can't change that. Furthermore, the cookie
can be encrypted, and you should have it encrypted. Just look in config.php of CodeIgniter.

There are several other protections around the session data: the short refresh timeout (usually 300
seconds), it checks if the IP changed, and if the browser changed. In other words, in the worst
case scenario, the only way to spoof the session data is by having the same version of the
browser, having the same IP, getting direct access to the computer to copy/paste the cookie, and
getting this done within 5 minutes.

So, watch out for the guy sitting beside you!

For encrypt the cookie in codeigniter make changes in the config.php file at

$config['sess_encrypt_cookie'] = FALSE;

change this line to

$config['sess_encrypt_cookie'] = TRUE;

Also set the encryption key at

$config['encryption_key'] = "";

1-store all data only after encryption in

session cookie
2-Use these settings:Change only these
settings to secure cookie.
/*
|---------------------------------------------------------------
-----------
| Session Variables
|---------------------------------------------------------------
-----------
|
| 'sess_driver'
|
| The storage driver to use: files, database, redis,
memcached
|
| 'sess_cookie_name'
|
| The session cookie name, must contain only [0-9a-z_-]
characters
|
| 'sess_expiration'
|
| The number of SECONDS you want the session to last.
| Setting to 0 (zero) means expire when the browser is
closed.
|
| 'sess_save_path'
|
| The location to save sessions to, driver dependent.
|
| For the 'files' driver, it's a path to a writable
directory.
| WARNING: Only absolute paths are supported!
|
| For the 'database' driver, it's a table name.
| Please read up the manual for the format with other
session drivers.
|
| IMPORTANT: You are REQUIRED to set a valid save path!
|
| 'sess_match_ip'
|
| Whether to match the user's IP address when reading the
session data.
|
| WARNING: If you're using the database driver, don't forget
to update
| your session table's PRIMARY KEY when changing
this setting.
|
| 'sess_time_to_update'
|
| How many seconds between CI regenerating the session ID.
|
| 'sess_regenerate_destroy'
|
| Whether to destroy session data associated with the old
session ID
| when auto-regenerating the session ID. When set to FALSE,
the data
| will be later deleted by the garbage collector.
|
| Other session cookie settings are shared with the rest of the
application,
| except for 'cookie_prefix' and 'cookie_httponly', which are
ignored here.
|
*/
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'my_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = NULL;
$config['sess_match_ip'] = TRUE;
$config['sess_time_to_update'] = 5;
$config['sess_regenerate_destroy'] = FALSE;

/*
|---------------------------------------------------------------
-----------
| Cookie Related Variables
|---------------------------------------------------------------
-----------
|
| 'cookie_prefix' = Set a cookie name prefix if you need to
avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide
cookies
| 'cookie_path' = Typically will be a forward slash
| 'cookie_secure' = Cookie will only be set if a secure HTTPS
connection exists.
| 'cookie_httponly' = Cookie will only be accessible via HTTP(S)
(no javascript)
|
| Note: These settings (with the exception of 'cookie_prefix'
and
| 'cookie_httponly') will also affect sessions.
|
*/
$config['cookie_prefix'] = 'ck';
$config['cookie_domain'] = 'give your domain name here';
$config['cookie_path'] = '/';
$config['cookie_secure'] = FALSE;
$config['cookie_httponly'] = TRUE;

/*

Changes in config file:

Global XSS Filtering

|--------------------------------------------------------------------------

| Determines whether the XSS filter is always active when GET, POST or

| COOKIE data is encountered

| WARNING: This feature is DEPRECATED and currently available only

| for backwards compatibility purposes!

*/

$config['global_xss_filtering'] = TRUE;

Security for Other cookies than session cookie:

cookie([$index = NULL[, $xss_clean = NULL]])
 $index (mixed) – COOKIE name
Parameters:  $xss_clean (bool) – Whether to apply XSS filtering

$_COOKIE if no parameters supplied, otherwise the COOKIE value if

Returns:
found or NULL if not
Return
mixed
type:
 This method is identical to post() and get(), only it fetches cookie data:

$this->input->cookie('some_cookie');
$this->input->cookie('some_cookie', TRUE); // with XSS filter

To return an array of multiple cookie values, pass all the required keys as an array.

$this->input->cookie(array('some_cookie', 'some_cookie2'));

Note

Unlike the Cookie Helper function get_cookie(), this method does NOT prepend your
configured $config['cookie_prefix'] value.

Changes in config file:

Global XSS Filtering

|--------------------------------------------------------------------------

| Determines whether the XSS filter is always active when GET, POST or

| COOKIE data is encountered

| WARNING: This feature is DEPRECATED and currently available only

| for backwards compatibility purposes!

*/

$config['global_xss_filtering'] = TRUE;

set_cookie($name = ''[, $value = ''[, $expire = ''[, $domain = ''[, $path = '/'[, $prefix = ''[,
$secure = NULL[, $httponly = NULL]]]]]]])
 $name (mixed) – Cookie name or an array of parameters
 $value (string) – Cookie value
 $expire (int) – Cookie expiration time in seconds
Parameters:
 $domain (string) – Cookie domain
 $path (string) – Cookie path
 $prefix (string) – Cookie name prefix
  $secure (bool) – Whether to only transfer the cookie through
HTTPS
 $httponly (bool) – Whether to only make the cookie accessible for
HTTP requests (no JavaScript)

Return
void
type:

Sets a cookie containing the values you specify. There are two ways to pass information
to this method so that a cookie can be set: Array Method, and Discrete Parameters:

Array Method

Using this method, an associative array is passed to the first parameter:

$cookie = array(
'name' => 'The Cookie Name',
'value' => 'The Value',
'expire' => '3600',
'domain' => '.some-domain.com',
'path' => '/',
'prefix' => 'cki_',
'secure' => TRUE,
'httponly' => TRUE
);

$this->input->set_cookie($cookie);

Notes

Only the name and value are required. To delete a cookie set it with the expiration blank.

The expiration is set in seconds, which will be added to the current time. Do not include
the time, but rather only the number of seconds from now that you wish the cookie to be
valid. If the expiration is set to zero the cookie will only last as long as the browser is
open.

For site-wide cookies regardless of how your site is requested, add your URL to the
domain starting with a period, like this: .your-domain.com

The path is usually not needed since the method sets a root path.

The prefix is only needed if you need to avoid name collisions with other identically
named cookies for your server.

The httponly and secure flags, when omitted, will default to your
$config['cookie_httponly'] and $config['cookie_secure'] settings.
 Discrete Parameters

If you prefer, you can set the cookie by passing data using individual parameters:

$this->input->set_cookie($name, $value, $expire, $domain, $path,

$prefix, $secure);

Others:
ip_address()
Returns: Visitor’s IP address or ‘0.0.0.0’ if not valid
Return type: string

Returns the IP address for the current user. If the IP address is not valid, the method will
return ‘0.0.0.0’:

echo $this->input->ip_address();

Important

This method takes into account the $config['proxy_ips'] setting and will return the
reported HTTP_X_FORWARDED_FOR, HTTP_CLIENT_IP, HTTP_X_CLIENT_IP or
HTTP_X_CLUSTER_CLIENT_IP address for the allowed IP addresses.

valid_ip($ip[, $which = ''])

 $ip (string) – IP address
Parameters:  $which (string) – IP protocol (‘ipv4’ or ‘ipv6’)

Returns: TRUE if the address is valid, FALSE if not

Return type: bool

Takes an IP address as input and returns TRUE or FALSE (boolean) depending on

whether it is valid or not.

Note

The $this->input->ip_address() method above automatically validates the IP address.

if ( ! $this->input->valid_ip($ip))
{
echo 'Not Valid';
}
else
{
echo 'Valid';
 }

Accepts an optional second string parameter of ‘ipv4’ or ‘ipv6’ to specify an IP format.

The default checks for both formats.

user_agent([$xss_clean = NULL])
Returns: User agent string or NULL if not set
 $xss_clean (bool) – Whether to apply XSS filtering
Parameters:
Return type: mixed

Returns the user agent string (web browser) being used by the current user, or NULL if
it’s not available.

echo $this->input->user_agent();

See the User Agent Class for methods which extract information from the user agent
string.