summaryrefslogtreecommitdiffstats
path: root/user_guide_src/source/general/security.rst
diff options
context:
space:
mode:
authorJoël Cox <joel@joelcox.nl>2011-10-09 18:45:09 +0200
committerJoël Cox <joel@joelcox.nl>2011-10-09 18:45:09 +0200
commit8ffcb2c8c7ef3da54d7e46c29d502533e413c820 (patch)
tree1f94e2e81b4d20f2df827b8a84eeda27032161a1 /user_guide_src/source/general/security.rst
parentf4fb1db458fab52d0493ead52c9ea7e01206eaa7 (diff)
parent6858c0753a7221796d6a5a1d7fea93cc2f9feb2e (diff)
Merged develop branch in tutorial.
Diffstat (limited to 'user_guide_src/source/general/security.rst')
-rw-r--r--user_guide_src/source/general/security.rst90
1 files changed, 90 insertions, 0 deletions
diff --git a/user_guide_src/source/general/security.rst b/user_guide_src/source/general/security.rst
new file mode 100644
index 000000000..4d7a213d1
--- /dev/null
+++ b/user_guide_src/source/general/security.rst
@@ -0,0 +1,90 @@
+########
+Security
+########
+
+This page describes some "best practices" regarding web security, and
+details CodeIgniter's internal security features.
+
+URI Security
+============
+
+CodeIgniter is fairly restrictive regarding which characters it allows
+in your URI strings in order to help minimize the possibility that
+malicious data can be passed to your application. URIs may only contain
+the following:
+
+- Alpha-numeric text
+- Tilde: ~
+- Period: .
+- Colon: :
+- Underscore: \_
+- Dash: -
+
+Register_globals
+=================
+
+During system initialization all global variables are unset, except
+those found in the $_GET, $_POST, and $_COOKIE arrays. The unsetting
+routine is effectively the same as register_globals = off.
+
+error_reporting
+================
+
+In production environments, it is typically desirable to disable PHP's
+error reporting by setting the internal error_reporting flag to a value
+of 0. This disables native PHP errors from being rendered as output,
+which may potentially contain sensitive information.
+
+Setting CodeIgniter's **ENVIRONMENT** constant in index.php to a value of
+**\'production\'** will turn off these errors. In development mode, it is
+recommended that a value of 'development' is used. More information
+about differentiating between environments can be found on the :doc:`Handling
+Environments <environments>` page.
+
+magic_quotes_runtime
+======================
+
+The magic_quotes_runtime directive is turned off during system
+initialization so that you don't have to remove slashes when retrieving
+data from your database.
+
+**************
+Best Practices
+**************
+
+Before accepting any data into your application, whether it be POST data
+from a form submission, COOKIE data, URI data, XML-RPC data, or even
+data from the SERVER array, you are encouraged to practice this three
+step approach:
+
+#. Filter the data as if it were tainted.
+#. Validate the data to ensure it conforms to the correct type, length,
+ size, etc. (sometimes this step can replace step one)
+#. Escape the data before submitting it into your database.
+
+CodeIgniter provides the following functions to assist in this process:
+
+XSS Filtering
+=============
+
+CodeIgniter comes with a Cross Site Scripting filter. This filter
+looks for commonly used techniques to embed malicious Javascript into
+your data, or other types of code that attempt to hijack cookies or
+do other malicious things. The XSS Filter is described
+:doc:`here <../libraries/security>`.
+
+Validate the data
+=================
+
+CodeIgniter has a :doc:`Form Validation
+Class <../libraries/form_validation>` that assists you in
+validating, filtering, and prepping your data.
+
+Escape all data before database insertion
+=========================================
+
+Never insert information into your database without escaping it.
+Please see the section that discusses
+:doc:`queries <../database/queries>` for more information.
+
+