summaryrefslogtreecommitdiffstats
path: root/user_guide/general/security.html
diff options
context:
space:
mode:
authorphilsturgeon <devnull@localhost>2011-06-15 17:00:03 +0200
committerphilsturgeon <devnull@localhost>2011-06-15 17:00:03 +0200
commit0fe54dbaf89a8337d27b9203f74891cf1a799715 (patch)
treece168b3c24788e5a4a31e0cc65b64f54e25ee8a2 /user_guide/general/security.html
parent3a43c7adae7737d68a0eeca663cc2dd3fc5b0cf3 (diff)
parent3ef65bd7491f847fecdab1acc9687f0e90eee09b (diff)
Merged Alex Bilbies MSSQL changes.
Diffstat (limited to 'user_guide/general/security.html')
-rw-r--r--user_guide/general/security.html34
1 files changed, 14 insertions, 20 deletions
diff --git a/user_guide/general/security.html b/user_guide/general/security.html
index 5ecfcf18a..31dd7978c 100644
--- a/user_guide/general/security.html
+++ b/user_guide/general/security.html
@@ -28,7 +28,7 @@
<div id="masthead">
<table cellpadding="0" cellspacing="0" border="0" style="width:100%">
<tr>
-<td><h1>CodeIgniter User Guide Version 2.0.0</h1></td>
+<td><h1>CodeIgniter User Guide Version 2.0.2</h1></td>
<td id="breadcrumb_right"><a href="../toc.html">Table of Contents Page</a></td>
</tr>
</table>
@@ -64,7 +64,7 @@ CodeIgniter's internal security features.</p>
<h2>URI Security</h2>
<p>CodeIgniter is fairly restrictive regarding which characters it allows in your URI strings in order to help
-minimize the possibility that malicious data can be passed to your application. URIs may only contain the following:
+minimize the possibility that malicious data can be passed to your application. URIs may only contain the following:
</p>
<ul>
@@ -76,33 +76,27 @@ minimize the possibility that malicious data can be passed to your application.
<li>Dash: -</li>
</ul>
-<h2>GET, POST, and COOKIE Data</h2>
-
-<p>GET data is simply disallowed by CodeIgniter since the system utilizes URI segments rather than traditional URL query strings (unless
-you have the query string option enabled in your config file). The global GET
-array is <strong>unset</strong> by the Input class during system initialization.</p>
-
<h2>Register_globals</h2>
-<p>During system initialization all global variables are unset, except those found in the $_POST and $_COOKIE arrays. The unsetting
+<p>During system initialization all global variables are unset, except those found in the $_GET, $_POST, and $_COOKIE arrays. The unsetting
routine is effectively the same as register_globals = off.</p>
<a name="error_reporting"></a>
<h2>error_reporting</h2>
<p>
- In production environments, it is typically desirable to disable PHP's
- error reporting by setting the internal error_reporting flag to a value of 0. This disables native PHP
- errors from being rendered as output, which may potentially contain
- sensitive information.
+ In production environments, it is typically desirable to disable PHP's
+ error reporting by setting the internal error_reporting flag to a value of 0. This disables native PHP
+ errors from being rendered as output, which may potentially contain
+ sensitive information.
</p>
<p>
- Setting CodeIgniter's <kbd>ENVIRONMENT</kbd> constant in index.php to a
- value of '<kbd>production</kbd>' will turn off these errors. In development
- mode, it is recommended that a value of '<kbd>development</kbd>' is used.
- More information about differentiating between environments can be found
- on the <a href="environments.html">Handling Environments</a> page.
+ Setting CodeIgniter's <kbd>ENVIRONMENT</kbd> constant in index.php to a
+ value of '<kbd>production</kbd>' will turn off these errors. In development
+ mode, it is recommended that a value of '<kbd>development</kbd>' is used.
+ More information about differentiating between environments can be found
+ on the <a href="environments.html">Handling Environments</a> page.
</p>
<h2>magic_quotes_runtime</h2>
@@ -117,7 +111,7 @@ XML-RPC data, or even data from the SERVER array, you are encouraged to practice
<ol>
<li>Filter the data as if it were tainted.</li>
-<li>Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)</li>
+<li>Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)</li>
<li>Escape the data before submitting it into your database.</li>
</ol>
@@ -127,7 +121,7 @@ XML-RPC data, or even data from the SERVER array, you are encouraged to practice
<li><h2>XSS Filtering</h2>
-<p>CodeIgniter comes with a Cross Site Scripting filter. This filter looks for commonly
+<p>CodeIgniter comes with a Cross Site Scripting filter. This filter looks for commonly
used techniques to embed malicious Javascript into your data, or other types of code that attempt to hijack cookies
or do other malicious things. The XSS Filter is described <a href="../libraries/security.html">here</a>.
</p>