How to protect Codeigniter site from Hacking


How to protect Codeigniter site from HackingYou may think that hackers or attackers will not target or they will not have time to attack your websites. If you have that idea, throw that away. Cause hackers will attack the website for two main reasons:

  • If your site has good ranking and followers.
  • For fun and Timepass.

Tips to Improve your Website’s protection

  1. Keep everything updated.
  2. Use a strong password for the Login page using characters, capital letters, punctuations, etc.,
  3. Install SSL (Security Stoke Layer) certificate for your Website. This helps in Google ranking and gain the reader’s trust.
  4. Use Two-factor authentication for your email.
  5. Always have a backup copy of your site.

Two main attacks on a website

  • SQL Injection
  • Cross-Site scripting

How the attackers are entering into your Website?

  • Installing a cracked version or unknown third-party software can make a way for the attackers to enter into your Website.

Methods to Prevent from these attacks

1. SQL Injection

An SQL injection is the most common web application vulnerability. The SQL injection happens when the attackers try to exploit access to get sensitive data from the website. The hackers try to inject some malicious SQL commands into the SQL statements. This helps the attackers to control the whole Database server.

The only way to get sensitive information from the database is by attacking the Login page.

Common Query

Check if this command is true at the SQL statement.

Select * from Users where username = 'UserName' and Password = 'Password';

It is a common query and you need not be worried. The user of this database is using the correct username and the password to get into the site.

Injected Query

select * from users where username= 'username' or '1=1';

This will allow the attackers to enter into the Database easily when the above command is true.

The above steps will help you in learning the common SQL injection. Now let me tell you the prevention from this SQL Injection.

$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’); $stmt->execute(array(‘value’ => $parameter));

So this is an easy way to escape from SQL inject.

2. Cross-Site Scripting

A Cross-Site Scripting is done by injecting a malicious URL into the browser to destroy the security of the Web application.

Now let me give you an explanation about how this injection is happening and then let us move with the prevention of your website from this injection.

How it is injected?

The attackers use the image tag with a blank source in order to inject the XSS injection into the website. Cause the script tag will not show up when your site is attacked. For example, if the hacker injects the URL and they can access some sensitive information from your Website. Pretty well then can get the Login Username and the Password without our knowledge.

How to prevent it?

Get the actual page’s code and modify the code for not getting an error message while loading.

function Username(Hello) {


$result = $this->db->get-where('User_registartion',array('Username'=>Hello));

//Is there a row with username?

if ($result->num_rows>0)

//Let's return false for the validation and set a custom message for this function

$this->form_validation->set_message('Username', 'That username is already used.');

return FALSE;




//Everything is good, don't return an error.

return TRUE;


function Username()  – This function sends the message to the controller to checks for existing users on the website.

if ($result->num-rows>0) – If  num_rows ==1 then it will not allow to create a new user on the database.

Also, if there is an error message it will show that the certain username is not valid or it will not show up the list of existing usernames.

I hope this was a useful and easy way to escape from these injections.

About The Author

Scroll to Top