summaryrefslogtreecommitdiffstats
path: root/user_guide_src/source/general/security.rst
diff options
context:
space:
mode:
authorKyle Farris <kylefarris@kylefarris.gotdns.org>2011-10-14 18:48:53 +0200
committerKyle Farris <kylefarris@kylefarris.gotdns.org>2011-10-14 18:48:53 +0200
commit974cc5757e1da3a89af7b9bc700b805ba05dd3bb (patch)
tree109313ba07a2eed2bb8d015ef5f6af8f9205dae2 /user_guide_src/source/general/security.rst
parent6636cef6fc457b3a0490d051587cb430aa0021d0 (diff)
parenta2125a5d830fd390b4cf35f77e9bb0558cfa2dd7 (diff)
Merged with develop and updated to new changelog.
Diffstat (limited to 'user_guide_src/source/general/security.rst')
-rw-r--r--user_guide_src/source/general/security.rst90
1 files changed, 90 insertions, 0 deletions
diff --git a/user_guide_src/source/general/security.rst b/user_guide_src/source/general/security.rst
new file mode 100644
index 000000000..4d7a213d1
--- /dev/null
+++ b/user_guide_src/source/general/security.rst
@@ -0,0 +1,90 @@
+########
+Security
+########
+
+This page describes some "best practices" regarding web security, and
+details CodeIgniter's internal security features.
+
+URI Security
+============
+
+CodeIgniter is fairly restrictive regarding which characters it allows
+in your URI strings in order to help minimize the possibility that
+malicious data can be passed to your application. URIs may only contain
+the following:
+
+- Alpha-numeric text
+- Tilde: ~
+- Period: .
+- Colon: :
+- Underscore: \_
+- Dash: -
+
+Register_globals
+=================
+
+During system initialization all global variables are unset, except
+those found in the $_GET, $_POST, and $_COOKIE arrays. The unsetting
+routine is effectively the same as register_globals = off.
+
+error_reporting
+================
+
+In production environments, it is typically desirable to disable PHP's
+error reporting by setting the internal error_reporting flag to a value
+of 0. This disables native PHP errors from being rendered as output,
+which may potentially contain sensitive information.
+
+Setting CodeIgniter's **ENVIRONMENT** constant in index.php to a value of
+**\'production\'** will turn off these errors. In development mode, it is
+recommended that a value of 'development' is used. More information
+about differentiating between environments can be found on the :doc:`Handling
+Environments <environments>` page.
+
+magic_quotes_runtime
+======================
+
+The magic_quotes_runtime directive is turned off during system
+initialization so that you don't have to remove slashes when retrieving
+data from your database.
+
+**************
+Best Practices
+**************
+
+Before accepting any data into your application, whether it be POST data
+from a form submission, COOKIE data, URI data, XML-RPC data, or even
+data from the SERVER array, you are encouraged to practice this three
+step approach:
+
+#. Filter the data as if it were tainted.
+#. Validate the data to ensure it conforms to the correct type, length,
+ size, etc. (sometimes this step can replace step one)
+#. Escape the data before submitting it into your database.
+
+CodeIgniter provides the following functions to assist in this process:
+
+XSS Filtering
+=============
+
+CodeIgniter comes with a Cross Site Scripting filter. This filter
+looks for commonly used techniques to embed malicious Javascript into
+your data, or other types of code that attempt to hijack cookies or
+do other malicious things. The XSS Filter is described
+:doc:`here <../libraries/security>`.
+
+Validate the data
+=================
+
+CodeIgniter has a :doc:`Form Validation
+Class <../libraries/form_validation>` that assists you in
+validating, filtering, and prepping your data.
+
+Escape all data before database insertion
+=========================================
+
+Never insert information into your database without escaping it.
+Please see the section that discusses
+:doc:`queries <../database/queries>` for more information.
+
+