CI4 Best Practices
5 min read Quiz at the end
CI4 best practices: escape output, explicit routing, entities, input validation, write tests.
CI4 Best Practices
- Always use
esc() to escape output — prevents XSS - Keep controllers thin — move logic to models or services
- Use entities for type-safe data handling
- Validate all input before processing
- Never use auto-routing in production — define routes explicitly
- Use query builder parameters — never concatenate SQL
- Store sensitive config in .env, not config files
- Enable CSRF protection for web forms
- Write tests with FeatureTestTrait
- Use page caching for expensive views
Topic Quiz · 2 questions
Test your understanding before moving on
1. What is the most important security rule for CI4 views?
💡 esc() encodes HTML special characters preventing XSS.
2. Why disable auto-routing?
💡 Manual routing prevents attackers from guessing controller/method combinations.