diff options
author | Kyle Farris <kylefarris@kylefarris.gotdns.org> | 2011-10-14 18:48:53 +0200 |
---|---|---|
committer | Kyle Farris <kylefarris@kylefarris.gotdns.org> | 2011-10-14 18:48:53 +0200 |
commit | 974cc5757e1da3a89af7b9bc700b805ba05dd3bb (patch) | |
tree | 109313ba07a2eed2bb8d015ef5f6af8f9205dae2 /user_guide_src/source/general/security.rst | |
parent | 6636cef6fc457b3a0490d051587cb430aa0021d0 (diff) | |
parent | a2125a5d830fd390b4cf35f77e9bb0558cfa2dd7 (diff) |
Merged with develop and updated to new changelog.
Diffstat (limited to 'user_guide_src/source/general/security.rst')
-rw-r--r-- | user_guide_src/source/general/security.rst | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/user_guide_src/source/general/security.rst b/user_guide_src/source/general/security.rst new file mode 100644 index 000000000..4d7a213d1 --- /dev/null +++ b/user_guide_src/source/general/security.rst @@ -0,0 +1,90 @@ +######## +Security +######## + +This page describes some "best practices" regarding web security, and +details CodeIgniter's internal security features. + +URI Security +============ + +CodeIgniter is fairly restrictive regarding which characters it allows +in your URI strings in order to help minimize the possibility that +malicious data can be passed to your application. URIs may only contain +the following: + +- Alpha-numeric text +- Tilde: ~ +- Period: . +- Colon: : +- Underscore: \_ +- Dash: - + +Register_globals +================= + +During system initialization all global variables are unset, except +those found in the $_GET, $_POST, and $_COOKIE arrays. The unsetting +routine is effectively the same as register_globals = off. + +error_reporting +================ + +In production environments, it is typically desirable to disable PHP's +error reporting by setting the internal error_reporting flag to a value +of 0. This disables native PHP errors from being rendered as output, +which may potentially contain sensitive information. + +Setting CodeIgniter's **ENVIRONMENT** constant in index.php to a value of +**\'production\'** will turn off these errors. In development mode, it is +recommended that a value of 'development' is used. More information +about differentiating between environments can be found on the :doc:`Handling +Environments <environments>` page. + +magic_quotes_runtime +====================== + +The magic_quotes_runtime directive is turned off during system +initialization so that you don't have to remove slashes when retrieving +data from your database. + +************** +Best Practices +************** + +Before accepting any data into your application, whether it be POST data +from a form submission, COOKIE data, URI data, XML-RPC data, or even +data from the SERVER array, you are encouraged to practice this three +step approach: + +#. Filter the data as if it were tainted. +#. Validate the data to ensure it conforms to the correct type, length, + size, etc. (sometimes this step can replace step one) +#. Escape the data before submitting it into your database. + +CodeIgniter provides the following functions to assist in this process: + +XSS Filtering +============= + +CodeIgniter comes with a Cross Site Scripting filter. This filter +looks for commonly used techniques to embed malicious Javascript into +your data, or other types of code that attempt to hijack cookies or +do other malicious things. The XSS Filter is described +:doc:`here <../libraries/security>`. + +Validate the data +================= + +CodeIgniter has a :doc:`Form Validation +Class <../libraries/form_validation>` that assists you in +validating, filtering, and prepping your data. + +Escape all data before database insertion +========================================= + +Never insert information into your database without escaping it. +Please see the section that discusses +:doc:`queries <../database/queries>` for more information. + + |