views:

73

answers:

2

I have been wondering how secure a codeigniter setup is. Because information like db passwords etc is stored in config files in the main application folder could this be retrievable by hackers? I know you can move the application folder to a location away from the web root but is it still safe if you don't? Also, even if you did move it some place else, the path to that other place is hardcoded into the index.php file that remains in the web root. I'm sure there is a simple explanation as to why it is safe, but could someone explain it to me so I can stop thinking about it?! Thanks!

+1  A: 

I suppose that it depends on the hacker and the type of hack they are employing. If you're asking if some Joe Schmoe can view the config file settings from the web, then the answer is no. See Can a Client View Server Side PHP Source Code for more details.

If you're concerned that a hacker will break into your server for that kind of information, then you might want to invest some time in extending or overriding the native Database library and add some encryption for the database information as you read it from the configuration file. Or if you want to go completely hidden on the configuration, you could spend some time extending the Config class.

On the surface, CodeIgniter is as secure as any other PHP framework from the file sense. Place appropriate .htaccess rules and the web side should be just fine. That just leaves proper security of your web server.

villecoder
A: 

Try running Google Skipfish against your app. See if it can sniff any lapses in security. The more likely case is your app using $_GET and $_POST variables directly in views, rather than the framework exposing your app to some risks.

stillstanding