summaryrefslogtreecommitdiffstats
path: root/user_guide_src/source/general/security.rst
diff options
context:
space:
mode:
authorEric Barnes <eric@ericlbarnes.com>2011-11-27 06:30:22 +0100
committerEric Barnes <eric@ericlbarnes.com>2011-11-27 06:30:22 +0100
commit7e66dda705743cbfe1d522ddb73e5694006ec42c (patch)
treec08b63deb28c09ec49d9173280f1ca234debfe50 /user_guide_src/source/general/security.rst
parent7eceb03f083643254c7393c6b5ebe539e344a1ba (diff)
parente101593561a10632c1d63180436b19f1d7115046 (diff)
Merge branch 'refs/heads/develop' into feature/unit-tests
Conflicts: user_guide/helpers/number_helper.html
Diffstat (limited to 'user_guide_src/source/general/security.rst')
-rw-r--r--user_guide_src/source/general/security.rst90
1 files changed, 90 insertions, 0 deletions
diff --git a/user_guide_src/source/general/security.rst b/user_guide_src/source/general/security.rst
new file mode 100644
index 000000000..4d7a213d1
--- /dev/null
+++ b/user_guide_src/source/general/security.rst
@@ -0,0 +1,90 @@
+########
+Security
+########
+
+This page describes some "best practices" regarding web security, and
+details CodeIgniter's internal security features.
+
+URI Security
+============
+
+CodeIgniter is fairly restrictive regarding which characters it allows
+in your URI strings in order to help minimize the possibility that
+malicious data can be passed to your application. URIs may only contain
+the following:
+
+- Alpha-numeric text
+- Tilde: ~
+- Period: .
+- Colon: :
+- Underscore: \_
+- Dash: -
+
+Register_globals
+=================
+
+During system initialization all global variables are unset, except
+those found in the $_GET, $_POST, and $_COOKIE arrays. The unsetting
+routine is effectively the same as register_globals = off.
+
+error_reporting
+================
+
+In production environments, it is typically desirable to disable PHP's
+error reporting by setting the internal error_reporting flag to a value
+of 0. This disables native PHP errors from being rendered as output,
+which may potentially contain sensitive information.
+
+Setting CodeIgniter's **ENVIRONMENT** constant in index.php to a value of
+**\'production\'** will turn off these errors. In development mode, it is
+recommended that a value of 'development' is used. More information
+about differentiating between environments can be found on the :doc:`Handling
+Environments <environments>` page.
+
+magic_quotes_runtime
+======================
+
+The magic_quotes_runtime directive is turned off during system
+initialization so that you don't have to remove slashes when retrieving
+data from your database.
+
+**************
+Best Practices
+**************
+
+Before accepting any data into your application, whether it be POST data
+from a form submission, COOKIE data, URI data, XML-RPC data, or even
+data from the SERVER array, you are encouraged to practice this three
+step approach:
+
+#. Filter the data as if it were tainted.
+#. Validate the data to ensure it conforms to the correct type, length,
+ size, etc. (sometimes this step can replace step one)
+#. Escape the data before submitting it into your database.
+
+CodeIgniter provides the following functions to assist in this process:
+
+XSS Filtering
+=============
+
+CodeIgniter comes with a Cross Site Scripting filter. This filter
+looks for commonly used techniques to embed malicious Javascript into
+your data, or other types of code that attempt to hijack cookies or
+do other malicious things. The XSS Filter is described
+:doc:`here <../libraries/security>`.
+
+Validate the data
+=================
+
+CodeIgniter has a :doc:`Form Validation
+Class <../libraries/form_validation>` that assists you in
+validating, filtering, and prepping your data.
+
+Escape all data before database insertion
+=========================================
+
+Never insert information into your database without escaping it.
+Please see the section that discusses
+:doc:`queries <../database/queries>` for more information.
+
+