diff options
38 files changed, 438 insertions, 129 deletions
diff --git a/application/config/config.php b/application/config/config.php index 1ec65435e..880393c29 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -176,6 +176,10 @@ $config['directory_trigger'] = 'd'; // experimental not currently in use | 3 = Informational Messages | 4 = All Messages | +| You can also pass in a array with threshold levels to show individual error types +| +| array(2) = Debug Messages, without Error Messages +| | For a live site you'll usually only enable Errors (1) to be logged otherwise | your log files will fill up very fast. | @@ -292,11 +296,13 @@ $config['global_xss_filtering'] = FALSE; | 'csrf_token_name' = The token name | 'csrf_cookie_name' = The cookie name | 'csrf_expire' = The number in seconds the token should expire. +| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks */ $config['csrf_protection'] = FALSE; $config['csrf_token_name'] = 'csrf_test_name'; $config['csrf_cookie_name'] = 'csrf_cookie_name'; $config['csrf_expire'] = 7200; +$config['csrf_exclude_uris'] = array(); /* |-------------------------------------------------------------------------- diff --git a/application/config/mimes.php b/application/config/mimes.php index 82767d7c8..90a1d18bb 100644 --- a/application/config/mimes.php +++ b/application/config/mimes.php @@ -8,10 +8,10 @@ | */ -$mimes = array( 'hqx' => 'application/mac-binhex40', +$mimes = array('hqx' => array('application/mac-binhex40', 'application/mac-binhex', 'application/x-binhex40', 'application/x-mac-binhex40'), 'cpt' => 'application/mac-compactpro', 'csv' => array('text/x-comma-separated-values', 'text/comma-separated-values', 'application/octet-stream', 'application/vnd.ms-excel', 'application/x-csv', 'text/x-csv', 'text/csv', 'application/csv', 'application/excel', 'application/vnd.msexcel'), - 'bin' => 'application/macbinary', + 'bin' => array('application/macbinary', 'application/mac-binary', 'application/octet-stream', 'application/x-binary', 'application/x-macbinary'), 'dms' => 'application/octet-stream', 'lha' => 'application/octet-stream', 'lzh' => 'application/octet-stream', @@ -39,6 +39,7 @@ $mimes = array( 'hqx' => 'application/mac-binhex40', 'dvi' => 'application/x-dvi', 'gtar' => 'application/x-gtar', 'gz' => 'application/x-gzip', + 'gzip' => 'application/x-gzip', 'php' => 'application/x-httpd-php', 'php4' => 'application/x-httpd-php', 'php3' => 'application/x-httpd-php', @@ -51,14 +52,14 @@ $mimes = array( 'hqx' => 'application/mac-binhex40', 'tgz' => array('application/x-tar', 'application/x-gzip-compressed'), 'xhtml' => 'application/xhtml+xml', 'xht' => 'application/xhtml+xml', - 'zip' => array('application/x-zip', 'application/zip', 'application/x-zip-compressed'), + 'zip' => array('application/x-zip', 'application/zip', 'application/x-zip-compressed'), 'mid' => 'audio/midi', 'midi' => 'audio/midi', 'mpga' => 'audio/mpeg', 'mp2' => 'audio/mpeg', 'mp3' => array('audio/mpeg', 'audio/mpg', 'audio/mpeg3', 'audio/mp3'), - 'aif' => 'audio/x-aiff', - 'aiff' => 'audio/x-aiff', + 'aif' => array('audio/x-aiff', 'audio/aiff'), + 'aiff' => array('audio/x-aiff', 'audio/aiff'), 'aifc' => 'audio/x-aiff', 'ram' => 'audio/x-pn-realaudio', 'rm' => 'audio/x-pn-realaudio', @@ -66,7 +67,7 @@ $mimes = array( 'hqx' => 'application/mac-binhex40', 'ra' => 'audio/x-realaudio', 'rv' => 'video/vnd.rn-realvideo', 'wav' => 'audio/x-wav', - 'bmp' => 'image/bmp', + 'bmp' => array('image/bmp', 'image/x-windows-bmp'), 'gif' => 'image/gif', 'jpeg' => array('image/jpeg', 'image/pjpeg'), 'jpg' => array('image/jpeg', 'image/pjpeg'), @@ -90,7 +91,7 @@ $mimes = array( 'hqx' => 'application/mac-binhex40', 'mpe' => 'video/mpeg', 'qt' => 'video/quicktime', 'mov' => 'video/quicktime', - 'avi' => 'video/x-msvideo', + 'avi' => array('video/x-msvideo', 'video/msvideo', 'video/avi', 'application/x-troff-msvideo'), 'movie' => 'video/x-sgi-movie', 'doc' => 'application/msword', 'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', @@ -98,7 +99,40 @@ $mimes = array( 'hqx' => 'application/mac-binhex40', 'word' => array('application/msword', 'application/octet-stream'), 'xl' => 'application/excel', 'eml' => 'message/rfc822', - 'json' => array('application/json', 'text/json') + 'json' => array('application/json', 'text/json'), + 'pem' => array('application/x-x509-user-cert', 'application/x-pem-file', 'application/octet-stream'), + 'p10' => array('application/x-pkcs10', 'application/pkcs10'), + 'p12' => 'application/x-pkcs12', + 'p7a' => 'application/x-pkcs7-signature', + 'p7c' => array('application/pkcs7-mime', 'application/x-pkcs7-mime'), + 'p7m' => array('application/pkcs7-mime', 'application/x-pkcs7-mime'), + 'p7r' => 'application/x-pkcs7-certreqresp', + 'p7s' => 'application/pkcs7-signature', + 'crt' => array('application/x-x509-ca-cert', 'application/x-x509-user-cert', 'application/pkix-cert'), + 'crl' => array('application/pkix-crl', 'application/pkcs-crl'), + 'der' => 'application/x-x509-ca-cert', + 'kdb' => 'application/octet-stream', + 'pgp' => 'application/pgp', + 'gpg' => 'application/gpg-keys', + 'sst' => 'application/octet-stream', + 'csr' => 'application/octet-stream', + 'rsa' => 'application/x-pkcs7', + 'cer' => array('application/pkix-cert', 'application/x-x509-ca-cert'), + '3g2' => 'video/3gpp2', + '3gp' => 'video/3gp', + 'mp4' => 'video/mp4', + 'm4a' => 'audio/x-m4a', + 'f4v' => 'video/mp4', + 'aac' => 'audio/x-acc', + 'm4u' => 'application/vnd.mpegurl', + 'm3u' => 'text/plain', + 'xspf' => 'application/xspf+xml', + 'vlc' => 'application/videolan', + 'wmv' => 'video/x-ms-wmv', + 'au' => 'audio/x-au', + 'ac3' => 'audio/ac3', + 'flac' => 'audio/x-flac', + 'ogg' => 'audio/ogg', ); @@ -33,7 +33,7 @@ if (defined('ENVIRONMENT')) switch (ENVIRONMENT) { case 'development': - error_reporting(E_ALL); + error_reporting(-1); break; case 'testing': @@ -73,6 +73,23 @@ if (defined('ENVIRONMENT')) * */ $application_folder = 'application'; + +/* + *--------------------------------------------------------------- + * VIEW FOLDER NAME + *--------------------------------------------------------------- + * + * If you want to move the view folder out of the application + * folder set the path to the folder here. The folder can be renamed + * and relocated anywhere on your server. If blank, it will default + * to the standard location inside your application folder. If you + * do move this, use the full server path to this folder + * + * NO TRAILING SLASH! + * + */ + $view_folder = ''; + /* * -------------------------------------------------------------------- @@ -190,6 +207,22 @@ if (defined('ENVIRONMENT')) define('APPPATH', BASEPATH.$application_folder.'/'); } + + // The path to the "views" folder + if (is_dir($view_folder)) + { + define ('VIEWPATH', $view_folder .'/'); + } + else + { + if ( ! is_dir(APPPATH.'views/')) + { + exit("Your view folder path does not appear to be set correctly. Please open the following file and correct this: ".SELF); + } + + define ('VIEWPATH', APPPATH.'views/' ); + } + /* * -------------------------------------------------------------------- diff --git a/readme.md b/readme.md new file mode 100644 index 000000000..be807dbea --- /dev/null +++ b/readme.md @@ -0,0 +1,11 @@ +# What is CodeIgniter + +CodeIgniter is an Application Development Framework - a toolkit - for people who build web sites using PHP. Its goal is to enable you to develop projects much faster than you could if you were writing code from scratch, by providing a rich set of libraries for commonly needed tasks, as well as a simple interface and logical structure to access these libraries. CodeIgniter lets you creatively focus on your project by minimizing the amount of code needed for a given task. + +# Resources + + * [User Guide](http://codeigniter.com/user_guide/) + * [Community Forums](http://codeigniter.com/forums/) + * [User Voice](http://codeigniter.uservoice.com/forums/40508-codeigniter-reactor) + * [Community Wiki](http://codeigniter.com/wiki/) + * [Community IRC](http://webchat.freenode.net/?channels=codeigniter&uio=d4)
\ No newline at end of file diff --git a/system/core/Common.php b/system/core/Common.php index db9fbeb9f..d79375475 100644 --- a/system/core/Common.php +++ b/system/core/Common.php @@ -132,9 +132,9 @@ if ( ! function_exists('load_class')) $name = FALSE; - // Look for the class first in the native system/libraries folder - // thenin the local application/libraries folder - foreach (array(BASEPATH, APPPATH) as $path) + // Look for the class first in the local application/libraries folder + // then in the native system/libraries folder + foreach (array(APPPATH, BASEPATH) as $path) { if (file_exists($path.$directory.'/'.$class.'.php')) { @@ -536,5 +536,29 @@ if ( ! function_exists('remove_invisible_characters')) } } +// ------------------------------------------------------------------------ + +/** +* Returns HTML escaped variable +* +* @access public +* @param mixed +* @return mixed +*/ +if ( ! function_exists('html_escape')) +{ + function html_escape($var) + { + if (is_array($var)) + { + return array_map('html_escape', $var); + } + else + { + return htmlspecialchars($var, ENT_QUOTES, config_item('charset')); + } + } +} + /* End of file Common.php */ /* Location: ./system/core/Common.php */
\ No newline at end of file diff --git a/system/core/Loader.php b/system/core/Loader.php index e7fa3d3f6..de0fc06d2 100755 --- a/system/core/Loader.php +++ b/system/core/Loader.php @@ -127,7 +127,7 @@ class CI_Loader { $this->_ci_library_paths = array(APPPATH, BASEPATH); $this->_ci_helper_paths = array(APPPATH, BASEPATH); $this->_ci_model_paths = array(APPPATH); - $this->_ci_view_paths = array(APPPATH.'views/' => TRUE); + $this->_ci_view_paths = array(VIEWPATH => TRUE); log_message('debug', "Loader Class Initialized"); } @@ -1106,7 +1106,7 @@ class CI_Loader { * @param array * @return void */ - private function _ci_autoloader() + protected function _ci_autoloader() { if (defined('ENVIRONMENT') AND file_exists(APPPATH.'config/'.ENVIRONMENT.'/autoload.php')) { diff --git a/system/core/Security.php b/system/core/Security.php index dcc680a11..342455f27 100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -33,6 +33,7 @@ class CI_Security { * @access protected */ protected $_xss_hash = ''; + /** * Random Hash for Cross Site Request Forgery Protection Cookie * @@ -40,6 +41,7 @@ class CI_Security { * @access protected */ protected $_csrf_hash = ''; + /** * Expiration time for Cross Site Request Forgery Protection Cookie * Defaults to two hours (in seconds) @@ -48,6 +50,7 @@ class CI_Security { * @access protected */ protected $_csrf_expire = 7200; + /** * Token name for Cross Site Request Forgery Protection Cookie * @@ -55,6 +58,7 @@ class CI_Security { * @access protected */ protected $_csrf_token_name = 'ci_csrf_token'; + /** * Cookie name for Cross Site Request Forgery Protection Cookie * @@ -62,12 +66,14 @@ class CI_Security { * @access protected */ protected $_csrf_cookie_name = 'ci_csrf_token'; + /** * List of never allowed strings * * @var array * @access protected */ + protected $_never_allowed_str = array( 'document.cookie' => '[removed]', 'document.write' => '[removed]', @@ -80,7 +86,6 @@ class CI_Security { '<![CDATA[' => '<![CDATA[' ); - /* never allowed, regex replacement */ /** * List of never allowed regex replacement * @@ -134,6 +139,16 @@ class CI_Security { { return $this->csrf_set_cookie(); } + + // Check if URI has been whitelisted from CSRF checks + if ($exclude_uris = config_item('csrf_exclude_uris')) + { + $uri = load_class('URI', 'core'); + if (in_array($uri->uri_string(), $exclude_uris)) + { + return $this; + } + } // Do the tokens exist in both the _POST and _COOKIE arrays? if ( ! isset($_POST[$this->_csrf_token_name]) OR @@ -156,9 +171,9 @@ class CI_Security { unset($_COOKIE[$this->_csrf_cookie_name]); $this->_csrf_set_hash(); $this->csrf_set_cookie(); - - log_message('debug', "CSRF token verified "); - + + log_message('debug', "CSRF token verified"); + return $this; } @@ -869,7 +884,6 @@ class CI_Security { } } -// END Security Class /* End of file Security.php */ -/* Location: ./system/libraries/Security.php */ +/* Location: ./system/libraries/Security.php */
\ No newline at end of file diff --git a/system/database/DB_active_rec.php b/system/database/DB_active_rec.php index 7bab729f5..37d162bc1 100644 --- a/system/database/DB_active_rec.php +++ b/system/database/DB_active_rec.php @@ -196,7 +196,7 @@ class CI_DB_active_record extends CI_DB_driver { $alias = $this->_create_alias_from_table(trim($select)); } - $sql = $type.'('.$this->_protect_identifiers(trim($select)).') AS '.$alias; + $sql = $type.'('.$this->_protect_identifiers(trim($select)).') AS '.$this->_protect_identifiers(trim($alias)); $this->ar_select[] = $sql; @@ -660,8 +660,12 @@ class CI_DB_active_record extends CI_DB_driver { $prefix = (count($this->ar_like) == 0) ? '' : $type; $v = $this->escape_like_str($v); - - if ($side == 'before') + + if ($side == 'none') + { + $like_statement = $prefix." $k $not LIKE '{$v}'"; + } + elseif ($side == 'before') { $like_statement = $prefix." $k $not LIKE '%{$v}'"; } diff --git a/system/database/drivers/cubrid/cubrid_driver.php b/system/database/drivers/cubrid/cubrid_driver.php index 3f0109249..d01140412 100644 --- a/system/database/drivers/cubrid/cubrid_driver.php +++ b/system/database/drivers/cubrid/cubrid_driver.php @@ -398,6 +398,7 @@ class CI_DB_cubrid_driver extends CI_DB { } $row = $query->row(); + $this->_reset_select(); return (int) $row->numrows; } diff --git a/system/database/drivers/mssql/mssql_driver.php b/system/database/drivers/mssql/mssql_driver.php index 65397ed8f..b39bd9360 100644 --- a/system/database/drivers/mssql/mssql_driver.php +++ b/system/database/drivers/mssql/mssql_driver.php @@ -367,6 +367,7 @@ class CI_DB_mssql_driver extends CI_DB { } $row = $query->row(); + $this->_reset_select(); return (int) $row->numrows; } diff --git a/system/database/drivers/mysql/mysql_driver.php b/system/database/drivers/mysql/mysql_driver.php index 28c75a5e3..f87cfea4b 100644 --- a/system/database/drivers/mysql/mysql_driver.php +++ b/system/database/drivers/mysql/mysql_driver.php @@ -385,6 +385,7 @@ class CI_DB_mysql_driver extends CI_DB { } $row = $query->row(); + $this->_reset_select(); return (int) $row->numrows; } @@ -440,7 +441,7 @@ class CI_DB_mysql_driver extends CI_DB { */ function _field_data($table) { - return "SELECT * FROM ".$table." LIMIT 1"; + return "DESCRIBE ".$table; } // -------------------------------------------------------------------- diff --git a/system/database/drivers/mysql/mysql_result.php b/system/database/drivers/mysql/mysql_result.php index 507389603..2d2905c98 100644 --- a/system/database/drivers/mysql/mysql_result.php +++ b/system/database/drivers/mysql/mysql_result.php @@ -84,14 +84,19 @@ class CI_DB_mysql_result extends CI_DB_result { function field_data() { $retval = array(); - while ($field = mysql_fetch_field($this->result_id)) + while ($field = mysql_fetch_object($this->result_id)) { + preg_match('/([a-zA-Z]+)\((\d+)\)/', $field->Type, $matches); + + $type = $matches[1]; + $length = (int)$matches[2]; + $F = new stdClass(); - $F->name = $field->name; - $F->type = $field->type; - $F->default = $field->def; - $F->max_length = $field->max_length; - $F->primary_key = $field->primary_key; + $F->name = $field->Field; + $F->type = $type; + $F->default = $field->Default; + $F->max_length = $length; + $F->primary_key = ( $field->Key == 'PRI' ? 1 : 0 ); $retval[] = $F; } diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php index b1796c9df..ccd110f79 100644 --- a/system/database/drivers/mysqli/mysqli_driver.php +++ b/system/database/drivers/mysqli/mysqli_driver.php @@ -386,6 +386,7 @@ class CI_DB_mysqli_driver extends CI_DB { } $row = $query->row(); + $this->_reset_select(); return (int) $row->numrows; } @@ -441,7 +442,7 @@ class CI_DB_mysqli_driver extends CI_DB { */ function _field_data($table) { - return "SELECT * FROM ".$table." LIMIT 1"; + return "DESCRIBE ".$table; } // -------------------------------------------------------------------- diff --git a/system/database/drivers/mysqli/mysqli_result.php b/system/database/drivers/mysqli/mysqli_result.php index c4d8f5d58..ac863056a 100644 --- a/system/database/drivers/mysqli/mysqli_result.php +++ b/system/database/drivers/mysqli/mysqli_result.php @@ -84,21 +84,26 @@ class CI_DB_mysqli_result extends CI_DB_result { function field_data() { $retval = array(); - while ($field = mysqli_fetch_field($this->result_id)) + while ($field = mysqli_fetch_object($this->result_id)) { + preg_match('/([a-zA-Z]+)\((\d+)\)/', $field->Type, $matches); + + $type = $matches[1]; + $length = (int)$matches[2]; + $F = new stdClass(); - $F->name = $field->name; - $F->type = $field->type; - $F->default = $field->def; - $F->max_length = $field->max_length; - $F->primary_key = ($field->flags & MYSQLI_PRI_KEY_FLAG) ? 1 : 0; + $F->name = $field->Field; + $F->type = $type; + $F->default = $field->Default; + $F->max_length = $length; + $F->primary_key = ( $field->Key == 'PRI' ? 1 : 0 ); $retval[] = $F; } return $retval; } - + // -------------------------------------------------------------------- /** diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php index 14df104ff..42cfaaefb 100644 --- a/system/database/drivers/oci8/oci8_driver.php +++ b/system/database/drivers/oci8/oci8_driver.php @@ -470,6 +470,7 @@ class CI_DB_oci8_driver extends CI_DB { } $row = $query->row(); + $this->_reset_select(); return (int) $row->numrows; } diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php index 81e0d7cf2..5e764e071 100644 --- a/system/database/drivers/odbc/odbc_driver.php +++ b/system/database/drivers/odbc/odbc_driver.php @@ -339,6 +339,7 @@ class CI_DB_odbc_driver extends CI_DB { } $row = $query->row(); + $this->_reset_select(); return (int) $row->numrows; } diff --git a/system/database/drivers/postgre/postgre_driver.php b/system/database/drivers/postgre/postgre_driver.php index 140396885..5367f9759 100644 --- a/system/database/drivers/postgre/postgre_driver.php +++ b/system/database/drivers/postgre/postgre_driver.php @@ -385,6 +385,7 @@ class CI_DB_postgre_driver extends CI_DB { } $row = $query->row(); + $this->_reset_select(); return (int) $row->numrows; } diff --git a/system/database/drivers/sqlite/sqlite_driver.php b/system/database/drivers/sqlite/sqlite_driver.php index eb4e585b3..0cc898b38 100644 --- a/system/database/drivers/sqlite/sqlite_driver.php +++ b/system/database/drivers/sqlite/sqlite_driver.php @@ -354,6 +354,7 @@ class CI_DB_sqlite_driver extends CI_DB { } $row = $query->row(); + $this->_reset_select(); return (int) $row->numrows; } diff --git a/system/database/drivers/sqlsrv/sqlsrv_driver.php b/system/database/drivers/sqlsrv/sqlsrv_driver.php index 1d32792ce..400fd31c6 100644 --- a/system/database/drivers/sqlsrv/sqlsrv_driver.php +++ b/system/database/drivers/sqlsrv/sqlsrv_driver.php @@ -344,6 +344,7 @@ class CI_DB_sqlsrv_driver extends CI_DB { return '0'; $row = $query->row(); + $this->_reset_select(); return $row->numrows; } diff --git a/system/helpers/date_helper.php b/system/helpers/date_helper.php index 553e8d7ee..6c559bb25 100644 --- a/system/helpers/date_helper.php +++ b/system/helpers/date_helper.php @@ -491,6 +491,72 @@ if ( ! function_exists('human_to_unix')) // ------------------------------------------------------------------------ /** + * Turns many "reasonably-date-like" strings into something + * that is actually useful. This only works for dates after unix epoch. + * + * @access public + * @param string The terribly formatted date-like string + * @param string Date format to return (same as php date function) + * @return string + */ +if ( ! function_exists('nice_date')) +{ + function nice_date($bad_date='', $format=false) + { + if (empty($bad_date)) + { + return 'Unknown'; + } + // Date like: YYYYMM + if (preg_match('/^\d{6}$/',$bad_date)) + { + //echo $bad_date." "; + if (in_array(substr($bad_date, 0, 2),array('19', '20'))) + { + $year = substr($bad_date, 0, 4); + $month = substr($bad_date, 4, 2); + } + else + { + $month = substr($bad_date, 0, 2); + $year = substr($bad_date, 2, 4); + } + return date($format, strtotime($year . '-' . $month . '-01')); + + } + + // Date Like: YYYYMMDD + if (preg_match('/^\d{8}$/',$bad_date)) + { + $month = substr($bad_date, 0, 2); + $day = substr($bad_date, 2, 2); + $year = substr($bad_date, 4, 4); + return date($format, strtotime($month . '/01/' . $year)); + } + + // Date Like: MM-DD-YYYY __or__ M-D-YYYY (or anything in between) + if (preg_match('/^\d{1,2}-\d{1,2}-\d{4}$/',$bad_date)) + { + list($m, $d, $y) = explode('-', $bad_date); + return date($format, strtotime("{$y}-{$m}-{$d}")); + } + + // Any other kind of string, when converted into UNIX time, + // produces "0 seconds after epoc..." is probably bad... + // return "Invalid Date". + if (date('U', strtotime($bad_date)) == '0') + { + return "Invalid Date"; + } + + // It's probably a valid-ish date format already + return date($format, strtotime($bad_date)); + } +} + +// ------------------------------------------------------------------------ + +/** * Timezone Menu * * Generates a drop-down menu of timezones. diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 47f93e748..d9305c00b 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -94,7 +94,7 @@ if ( ! function_exists('form_open')) */ if ( ! function_exists('form_open_multipart')) { - function form_open_multipart($action, $attributes = array(), $hidden = array()) + function form_open_multipart($action = '', $attributes = array(), $hidden = array()) { if (is_string($attributes)) { diff --git a/system/language/english/form_validation_lang.php b/system/language/english/form_validation_lang.php index 3418f29ab..d1cf0399d 100644 --- a/system/language/english/form_validation_lang.php +++ b/system/language/english/form_validation_lang.php @@ -7,7 +7,7 @@ $lang['valid_emails'] = "The %s field must contain all valid email addresses."; $lang['valid_url'] = "The %s field must contain a valid URL."; $lang['valid_ip'] = "The %s field must contain a valid IP."; $lang['min_length'] = "The %s field must be at least %s characters in length."; -$lang['max_length'] = "The %s field can not exceed %s characters in length."; +$lang['max_length'] = "The %s field cannot exceed %s characters in length."; $lang['exact_length'] = "The %s field must be exactly %s characters in length."; $lang['alpha'] = "The %s field may only contain alphabetical characters."; $lang['alpha_numeric'] = "The %s field may only contain alpha-numeric characters."; diff --git a/system/libraries/Cache/drivers/Cache_file.php b/system/libraries/Cache/drivers/Cache_file.php index 13e2d1af6..6c37e7005 100644 --- a/system/libraries/Cache/drivers/Cache_file.php +++ b/system/libraries/Cache/drivers/Cache_file.php @@ -157,17 +157,16 @@ class CI_Cache_file extends CI_Driver { if (is_array($data)) { - $data = $data['data']; $mtime = filemtime($this->_cache_path.$id); - if ( ! isset($data['ttl'])) + if ( ! isset($data['data']['ttl'])) { return FALSE; } return array( - 'expire' => $mtime + $data['ttl'], - 'mtime' => $mtime + 'expire' => $mtime + $data['data']['ttl'], + 'mtime' => $mtime ); } diff --git a/system/libraries/Cache/drivers/Cache_memcached.php b/system/libraries/Cache/drivers/Cache_memcached.php index ec2fd216a..04aa81a5a 100644 --- a/system/libraries/Cache/drivers/Cache_memcached.php +++ b/system/libraries/Cache/drivers/Cache_memcached.php @@ -10,19 +10,19 @@ * @license http://codeigniter.com/user_guide/license.html * @link http://codeigniter.com * @since Version 2.0 - * @filesource + * @filesource */ // ------------------------------------------------------------------------ /** - * CodeIgniter Memcached Caching Class + * CodeIgniter Memcached Caching Class * * @package CodeIgniter * @subpackage Libraries * @category Core * @author ExpressionEngine Dev Team - * @link + * @link */ class CI_Cache_memcached extends CI_Driver { @@ -37,18 +37,18 @@ class CI_Cache_memcached extends CI_Driver { ) ); - // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------ /** * Fetch from cache * * @param mixed unique key id * @return mixed data on success/false on failure - */ + */ public function get($id) - { + { $data = $this->_memcached->get($id); - + return (is_array($data)) ? $data[0] : FALSE; } @@ -64,11 +64,11 @@ class CI_Cache_memcached extends CI_Driver { */ public function save($id, $data, $ttl = 60) { - return $this->_memcached->add($id, array($data, time(), $ttl), $ttl); + return $this->_memcached->set($id, array($data, time(), $ttl), $ttl); } // ------------------------------------------------------------------------ - + /** * Delete from Cache * @@ -81,7 +81,7 @@ class CI_Cache_memcached extends CI_Driver { } // ------------------------------------------------------------------------ - + /** * Clean the Cache * @@ -106,7 +106,7 @@ class CI_Cache_memcached extends CI_Driver { } // ------------------------------------------------------------------------ - + /** * Get Cache Metadata * @@ -140,6 +140,7 @@ class CI_Cache_memcached extends CI_Driver { { // Try to load memcached server info from the config file. $CI =& get_instance(); + if ($CI->config->load('memcached', TRUE, TRUE)) { if (is_array($CI->config->config['memcached'])) @@ -149,11 +150,24 @@ class CI_Cache_memcached extends CI_Driver { foreach ($CI->config->config['memcached'] as $name => $conf) { $this->_memcache_conf[$name] = $conf; - } - } + } + } + } + + if (class_exists('Memcached')) + { + $this->_memcached = new Memcached(); + } + else if (class_exists('Memcache')) + { + $this->_memcached = new Memcache(); + } + else + { + log_message('error', 'Failed to create object for Memcached Cache; extension not loaded?'); + + return FALSE; } - - $this->_memcached = new Memcached(); foreach ($this->_memcache_conf as $name => $cache_server) { @@ -161,26 +175,42 @@ class CI_Cache_memcached extends CI_Driver { { $cache_server['hostname'] = $this->_default_options['default_host']; } - + if ( ! array_key_exists('port', $cache_server)) { $cache_server['port'] = $this->_default_options['default_port']; } - + if ( ! array_key_exists('weight', $cache_server)) { $cache_server['weight'] = $this->_default_options['default_weight']; } - - $this->_memcached->addServer( - $cache_server['hostname'], $cache_server['port'], $cache_server['weight'] - ); + + if (get_class($this->_memcached) == 'Memcache') + { + // Third parameter is persistance and defaults to TRUE. + $this->_memcached->addServer( + $cache_server['hostname'], + $cache_server['port'], + TRUE, + $cache_server['weight'] + ); + } + else + { + $this->_memcached->addServer( + $cache_server['hostname'], + $cache_server['port'], + $cache_server['weight'] + ); + } } + + return TRUE; } // ------------------------------------------------------------------------ - /** * Is supported * @@ -189,15 +219,14 @@ class CI_Cache_memcached extends CI_Driver { */ public function is_supported() { - if ( ! extension_loaded('memcached')) + if ( ! extension_loaded('memcached') && ! extension_loaded('memcache')) { log_message('error', 'The Memcached Extension must be loaded to use Memcached Cache.'); - + return FALSE; } - - $this->_setup_memcached(); - return TRUE; + + return $this->_setup_memcached(); } // ------------------------------------------------------------------------ diff --git a/system/libraries/Email.php b/system/libraries/Email.php index e28c23a04..28a3d17b4 100644 --- a/system/libraries/Email.php +++ b/system/libraries/Email.php @@ -452,7 +452,7 @@ class CI_Email { */ public function set_alt_message($str = '') { - $this->alt_message = $str; + $this->alt_message = (string) $str; return $this; } @@ -477,12 +477,12 @@ class CI_Email { * Set Wordwrap * * @access public - * @param string + * @param bool * @return void */ public function set_wordwrap($wordwrap = TRUE) { - $this->wordwrap = ($wordwrap === FALSE) ? FALSE : TRUE; + $this->wordwrap = (bool) $wordwrap; return $this; } diff --git a/system/libraries/Log.php b/system/libraries/Log.php index 9f1db76ba..bf10d4727 100644 --- a/system/libraries/Log.php +++ b/system/libraries/Log.php @@ -27,10 +27,12 @@ class CI_Log { protected $_log_path; - protected $_threshold = 1; - protected $_date_fmt = 'Y-m-d H:i:s'; - protected $_enabled = TRUE; - protected $_levels = array('ERROR' => '1', 'DEBUG' => '2', 'INFO' => '3', 'ALL' => '4'); + protected $_threshold = 1; + protected $_threshold_max = 0; + protected $_threshold_array = array(); + protected $_date_fmt = 'Y-m-d H:i:s'; + protected $_enabled = TRUE; + protected $_levels = array('ERROR' => '1', 'DEBUG' => '2', 'INFO' => '3', 'ALL' => '4'); /** * Constructor @@ -50,6 +52,11 @@ class CI_Log { { $this->_threshold = $config['log_threshold']; } + elseif (is_array($config['log_threshold'])) + { + $this->_threshold = $this->_threshold_max; + $this->_threshold_array = array_flip($config['log_threshold']); + } if ($config['log_date_format'] != '') { @@ -80,9 +87,13 @@ class CI_Log { if ( ! isset($this->_levels[$level]) OR ($this->_levels[$level] > $this->_threshold)) { - return FALSE; + if (empty($this->_threshold_array) OR ! isset($this->_threshold_array[$this->_levels[$level]])) + { + return FALSE; + } } + $filepath = $this->_log_path.'log-'.date('Y-m-d').'.php'; $message = ''; diff --git a/system/libraries/Profiler.php b/system/libraries/Profiler.php index 082a5ee1d..330acce73 100644 --- a/system/libraries/Profiler.php +++ b/system/libraries/Profiler.php @@ -493,7 +493,7 @@ class CI_Profiler { * * @return string */ - private function _compile_session_data() + protected function _compile_session_data() { if ( ! isset($this->CI->session)) { @@ -555,4 +555,4 @@ class CI_Profiler { // END CI_Profiler class /* End of file Profiler.php */ -/* Location: ./system/libraries/Profiler.php */
\ No newline at end of file +/* Location: ./system/libraries/Profiler.php */ diff --git a/system/libraries/Upload.php b/system/libraries/Upload.php index 3177424c4..8f324de79 100644 --- a/system/libraries/Upload.php +++ b/system/libraries/Upload.php @@ -30,6 +30,7 @@ class CI_Upload { public $max_width = 0; public $max_height = 0; public $max_filename = 0; + public $max_filename_increment = 100; public $allowed_types = ""; public $file_temp = ""; public $file_name = ""; @@ -80,31 +81,32 @@ class CI_Upload { public function initialize($config = array()) { $defaults = array( - 'max_size' => 0, - 'max_width' => 0, - 'max_height' => 0, - 'max_filename' => 0, - 'allowed_types' => "", - 'file_temp' => "", - 'file_name' => "", - 'orig_name' => "", - 'file_type' => "", - 'file_size' => "", - 'file_ext' => "", - 'upload_path' => "", - 'overwrite' => FALSE, - 'encrypt_name' => FALSE, - 'is_image' => FALSE, - 'image_width' => '', - 'image_height' => '', - 'image_type' => '', - 'image_size_str' => '', - 'error_msg' => array(), - 'mimes' => array(), - 'remove_spaces' => TRUE, - 'xss_clean' => FALSE, - 'temp_prefix' => "temp_file_", - 'client_name' => '' + 'max_size' => 0, + 'max_width' => 0, + 'max_height' => 0, + 'max_filename' => 0, + 'max_filename_increment' => 100, + 'allowed_types' => "", + 'file_temp' => "", + 'file_name' => "", + 'orig_name' => "", + 'file_type' => "", + 'file_size' => "", + 'file_ext' => "", + 'upload_path' => "", + 'overwrite' => FALSE, + 'encrypt_name' => FALSE, + 'is_image' => FALSE, + 'image_width' => '', + 'image_height' => '', + 'image_type' => '', + 'image_size_str' => '', + 'error_msg' => array(), + 'mimes' => array(), + 'remove_spaces' => TRUE, + 'xss_clean' => FALSE, + 'temp_prefix' => "temp_file_", + 'client_name' => '' ); @@ -402,7 +404,7 @@ class CI_Upload { $filename = str_replace($this->file_ext, '', $filename); $new_filename = ''; - for ($i = 1; $i < 100; $i++) + for ($i = 1; $i < $this->max_filename_increment; $i++) { if ( ! file_exists($path.$filename.$i.$this->file_ext)) { diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 88b4363ea..e1a134def 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -66,17 +66,23 @@ Change Log <li>General Changes <ul> <li class="reactor">Callback validation rules can now accept parameters like any other validation rule.</li> + <li class="reactor">Ability to log certain error types, not all under a threshold.</li> + <li class="reactor">Added html_escape() to the <a href="general/common_functions.html">Common functions<a> to escape HTML output for preventing XSS easliy.</li> </ul> </li> <li>Helpers <ul> <li class="reactor">Added <samp>increment_string()</samp> to <a href="helpers/string_helper.html">String Helper</a> to turn "foo" into "foo-1" or "foo-1" into "foo-2".</li> + <li>Altered form helper - made action on form_open_multipart helper function call optional. Fixes (#65)</li> </ul> </li> <li>Database <ul> - <li class="reactor">Added a <a href="http://www.cubrid.org/" target="_blank">CUBRID</a> driver to the <a href="libraries/database.html">Database Driver</a>. Thanks to the CUBRID team for supplying this patch.</li> + <li class="reactor">Added a <a href="http://www.cubrid.org/" target="_blank">CUBRID</a> driver to the <a href="database/index.html">Database Driver</a>. Thanks to the CUBRID team for supplying this patch.</li> <li class="reactor">Typecast limit and offset in the <a href="database/queries.html">Database Driver</a> to integers to avoid possible injection.</li> + <li class="reactor"> + Added additional option 'none' for the optional third argument for <kbd>$this->db->like()</kbd> in the <a href="database/active_record.html">Database Driver</a>. + </li> </ul> </li> <li>Libraries @@ -85,6 +91,8 @@ Change Log <li class="reactor">Added support to set an optional parameter in your callback rules of validation using the <a href="libraries/form_validation.html">Form Validation Library</a>.</li> <li class="reactor">Added a <a href="libraries/migration.html">Migration Library</a> to assist with applying incremental updates to your database schema.</li> <li class="reactor">Driver children can be located in any package path.</li> + <li class="reactor">Added max_filename_increment config setting for Upload library.</li> + <li><samp>CI_Loader::_ci_autoloader()</samp> is now a protected method.</li> </ul> </li> </ul> @@ -95,6 +103,11 @@ Change Log <li class="reactor">If a config class was loaded first then a library with the same name is loaded, the config would be ignored.</li> <li class="reactor">Fixed a bug (Reactor #19) where 1) the 404_override route was being ignored in some cases, and 2) auto-loaded libraries were not available to the 404_override controller when a controller existed but the requested method did not.</li> <li class="rector">Fixed a bug (Reactor #89) where MySQL export would fail if the table had hyphens or other non alphanumeric/underscore characters.</li> + <li class="reactor">Fixed a bug (#200) where MySQL queries would be malformed after calling <samp>count_all()</samp> then <samp>db->get()</samp></li> + <li>Fixed a bug (#181) where a mis-spelling was in the form validation language file.</li> + <li>Fixed a bug (#160) - Removed unneeded array copy in the file cache driver.</li> + <li>Fixed a bug (#150) - <samp>field_data()</samp> now correctly returns column length.</li> + <li>Fixed a bug (#8) - <samp>load_class()</samp> now looks for core classes in <samp>APPPATH</samp> first, allowing them to be replaced.</li> </ul> <h2>Version 2.0.3</h2> @@ -114,7 +127,13 @@ Change Log <li>Visual updates to the welcome_message view file and default error templates. Thanks to <a href="https://bitbucket.org/danijelb">danijelb</a> for the pull request.</li> <li class="reactor">Added <samp>insert_batch()</samp> function to the PostgreSQL database driver. Thanks to epallerols for the patch.</li> <li class="reactor">Added "application/x-csv" to mimes.php.</li> + <li class="reactor">Added CSRF protection URI whitelisting.</li> <li>Fixed a bug where <a href="libraries/email.html">Email library</a> attachments with a "." in the name would using invalid MIME-types.</li> + <li>Added support for pem,p10,p12,p7a,p7c,p7m,p7r,p7s,crt,crl,der,kdb,rsa,cer,sst,csr Certs to mimes.php.</li> + <li>Added support pgp,gpg to mimes.php.</li> + <li>Added support 3gp, 3g2, mp4, wmv, f4v, vlc Video files to mimes.php.</li> + <li>Added support m4a, aac, m4u, xspf, au, ac3, flac, ogg Audio files to mimes.php.</li> + </ul> </li> <li>Helpers diff --git a/user_guide/database/active_record.html b/user_guide/database/active_record.html index 3f44fcd5b..92d9614d5 100644 --- a/user_guide/database/active_record.html +++ b/user_guide/database/active_record.html @@ -334,6 +334,13 @@ $this->db->or_where('id >', $id); $this->db->like('title', 'match', 'both'); <br /> // Produces: WHERE title LIKE '%match%' </code> </li> +If you do not want to use the wildcard (%) you can pass to the optional third argument the option 'none'. + +<code> + $this->db->like('title', 'match', 'none'); <br /> +// Produces: WHERE title LIKE 'match' +</code> + <li><strong>Associative array method:</strong> <code> @@ -525,7 +532,7 @@ $this->db->insert('mytable', $object); <p>Generates an insert string based on the data you supply, and runs the query. You can either pass an <strong>array</strong> or an <strong>object</strong> to the function. Here is an example using an array:</p> -<code> +<code> $data = array(<br/> array(<br /> 'title' => 'My title' ,<br /> @@ -537,7 +544,7 @@ $data = array(<br/> 'name' => 'Another Name' ,<br /> 'date' => 'Another date'<br /> )<br/> -);<br /> +);<br /> <br /> $this->db->update_batch('mytable', $data); <br /><br /> diff --git a/user_guide/general/common_functions.html b/user_guide/general/common_functions.html index 65457759d..7cff6321c 100644 --- a/user_guide/general/common_functions.html +++ b/user_guide/general/common_functions.html @@ -104,6 +104,8 @@ else<br /> <p>This function prevents inserting null characters between ascii characters, like Java\0script.</p> +<h2>html_escape(<var>$mixed</var>)</h2> +<p>This function provides short cut for htmlspecialchars() function. It accepts string and array. To prevent Cross Site Scripting (XSS), it is very useful.</p> </div> diff --git a/user_guide/helpers/date_helper.html b/user_guide/helpers/date_helper.html index f930ea3ae..5b00e25e0 100644 --- a/user_guide/helpers/date_helper.html +++ b/user_guide/helpers/date_helper.html @@ -234,6 +234,20 @@ $unix = human_to_unix($human);</code> +<h2>nice_date()</h2> + +<p>This function can take a number poorly-formed date formats and convert them into something useful. It also accepts well-formed dates.</p> +<p>The function will return a Unix timestamp by default. You can, optionally, pass a format string (the same type as the PHP date function accepts) as the second parameter. Example:</p> + +<code>$bad_time = 199605<br /> +<br /> +// Should Produce: 1996-05-01<br /> +$better_time = nice_date($bad_time,'Y-m-d');<br /> +<br /> +$bad_time = 9-11-2001<br /> +// Should Produce: 2001-09-11<br /> +$better_time = nice_date($human,'Y-m-d');</code> + <h2>timespan()</h2> diff --git a/user_guide/installation/index.html b/user_guide/installation/index.html index 5e8ab3883..84338e2e6 100644 --- a/user_guide/installation/index.html +++ b/user_guide/installation/index.html @@ -72,7 +72,9 @@ variables at the top of the file with the new name you've chosen.</p> <p>For the best security, both the <dfn>system</dfn> and any <dfn>application</dfn> folders should be placed above web root so that they are not directly accessible via a browser. By default, .htaccess files are included in each folder to help prevent direct access, but it is best to remove them from public access entirely in case the web server configuration changes or doesn't abide by the .htaccess.</p> -<p>After moving them, open your main <kdb>index.php</kbd> file and set the <samp>$system_folder</samp> and <samp>$application_folder</samp> variables, preferably with a full path, e.g. '<dfn>/www/MyUser/system</dfn>'.</p> +<p>If you would like to keep your views public it is also possible to move the <dfn>views</dfn> folder out of your application folder.</p> + +<p>After moving them, open your main <kdb>index.php</kbd> file and set the <samp>$system_folder</samp>, <samp>$application_folder</samp> and <samp>$view_folder</samp> variables, preferably with a full path, e.g. '<dfn>/www/MyUser/system</dfn>'.</p> <p> One additional measure to take in production environments is to disable diff --git a/user_guide/installation/upgrade_203.html b/user_guide/installation/upgrade_203.html index 7dbc907ea..04899832d 100644 --- a/user_guide/installation/upgrade_203.html +++ b/user_guide/installation/upgrade_203.html @@ -65,27 +65,23 @@ Upgrading from 2.0.2 to 2.0.3 <p>Replace all files and directories in your "system" folder and replace your index.php file. If any modifications were made to your index.php they will need to be made fresh in this new one.</p> <p class="important"><strong>Note:</strong> If you have any custom developed files in these folders please make copies of them first.</p> - -<h2>Step 2: Update CodeIgniter files</h2> - -<p>Replace the files and directories in your "system" folder with the new versions:</p> -<h2>Step 3: Update your main index.php file</h2> +<h2>Step 2: Update your main index.php file</h2> <p>If you are running a stock <dfn>index.php</dfn> file simply replace your version with the new one.</p> <p>If your <dfn>index.php</dfn> file has internal modifications, please add your modifications to the new file and use it.</p> -<h2>Step 4: Replace config/user_agents.php</h2> +<h2>Step 3: Replace config/user_agents.php</h2> <p>This config file has been updated to contain more user agent types, please copy it to <kbd>application/config/user_agents.php</kbd>.</p> -<h2>Step 5: Change references of the EXT constant to ".php"</h2> +<h2>Step 4: Change references of the EXT constant to ".php"</h2> <p class="important"><strong>Note:</strong> The EXT Constant has been marked as deprecated, but has not been removed from the application. You are encouraged to make the changes sooner rather than later.</p> -<h2>Step 6: Remove APPPATH.'third_party' from autoload.php</h2> +<h2>Step 5: Remove APPPATH.'third_party' from autoload.php</h2> -<p>Open application/autoload.php, and look for the following:</p> +<p>Open application/config/autoload.php, and look for the following:</p> <code>$autoload['packages'] = array(APPPATH.'third_party');</code> diff --git a/user_guide/libraries/file_uploading.html b/user_guide/libraries/file_uploading.html index a88c67220..94b219355 100644 --- a/user_guide/libraries/file_uploading.html +++ b/user_guide/libraries/file_uploading.html @@ -305,6 +305,13 @@ $this->upload->initialize($config);</code> </tr> <tr> +<td class="td"><strong>max_filename_increment</strong></td> +<td class="td">100</td> +<td class="td">None</td> +<td class="td">When overwrite is set to FALSE, use this to set the maximum filename increment for CodeIgniter to append to the filename.</td> +</tr> + +<tr> <td class="td"><strong>encrypt_name</strong></td> <td class="td">FALSE</td> <td class="td">TRUE/FALSE (boolean)</td> diff --git a/user_guide/libraries/form_validation.html b/user_guide/libraries/form_validation.html index d9d8a4502..ede1913e0 100644 --- a/user_guide/libraries/form_validation.html +++ b/user_guide/libraries/form_validation.html @@ -1042,6 +1042,13 @@ POST array:</p> </tr> <tr> + <td class="td"><strong>is_unique</strong></td> + <td class="td">Yes</td> + <td class="td">Returns FALSE if the form element is not unique in a database table.</td> + <td class="td">is_unique[table.field]</td> + </tr> + + <tr> <td class="td"><strong>valid_email</strong></td> <td class="td">No</td> <td class="td">Returns FALSE if the form element does not contain a valid email address.</td> diff --git a/user_guide/libraries/input.html b/user_guide/libraries/input.html index 311f76ee9..77e28488a 100644 --- a/user_guide/libraries/input.html +++ b/user_guide/libraries/input.html @@ -73,11 +73,11 @@ Input Class <p>The security filtering function is called automatically when a new <a href="../general/controllers.html">controller</a> is invoked. It does the following:</p> <ul> -<li>Destroys the global GET array. Since CodeIgniter does not utilize GET strings, there is no reason to allow it.</li> +<li>If $config['allow_get_array'] is FALSE(default is TRUE), destroys the global GET array.</li> <li>Destroys all global variables in the event register_globals is turned on.</li> -<li>Filters the POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters.</li> +<li>Filters the GET/POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters.</li> <li>Provides XSS (Cross-site Scripting Hacks) filtering. This can be enabled globally, or upon request.</li> -<li>Standardizes newline characters to \n</li> +<li>Standardizes newline characters to \n(In Windows \r\n)</li> </ul> @@ -133,13 +133,13 @@ else<br /> <code>$this->input->post('some_data', TRUE);</code> <p>To return an array of all POST items call without any parameters.</p> -<p>To return all POST items and pass them through the XSS filter leave the first parameter blank while setting the second parameter to boolean;</p> +<p>To return all POST items and pass them through the XSS filter set the first parameter NULL while setting the second parameter to boolean;</p> <p>The function returns FALSE (boolean) if there are no items in the POST.</p> <code> - $this->input->post(); // returns all POST items with XSS filter + $this->input->post(NULL, TRUE); // returns all POST items with XSS filter <br /> - $this->input->post(NULL, FALSE); // returns all POST items without XSS + $this->input->post(); // returns all POST items without XSS filter </code> <h2>$this->input->get()</h2> @@ -149,13 +149,13 @@ else<br /> <code>$this->input->get('some_data', TRUE);</code> <p>To return an array of all GET items call without any parameters.</p> -<p>To return all GET items and pass them through the XSS filter leave the first parameter blank while setting the second parameter to boolean;</p> +<p>To return all GET items and pass them through the XSS filter set the first parameter NULL while setting the second parameter to boolean;</p> <p>The function returns FALSE (boolean) if there are no items in the GET.</p> <code> - $this->input->get(); // returns all GET items with XSS filter + $this->input->get(NULL, TRUE); // returns all GET items with XSS filter <br /> - $this->input->get(NULL, FALSE); // returns all GET items without XSS filtering + $this->input->get(); // returns all GET items without XSS filtering </code> <h2>$this->input->get_post()</h2> diff --git a/user_guide/libraries/security.html b/user_guide/libraries/security.html index dd62a4386..cbe12d852 100644 --- a/user_guide/libraries/security.html +++ b/user_guide/libraries/security.html @@ -116,6 +116,9 @@ Note: This function should only be used to deal with data upon submission. It's <p>If you use the <a href="../helpers/form_helper.html">form helper</a> the <var>form_open()</var> function will automatically insert a hidden csrf field in your forms.</p> +<p>Select URIs can be whitelisted from csrf protection (for example API endpoints expecting externally POSTed content). You can add these URIs by editing the 'csrf_exclude_uris' config parameter:</p> +<code>$config['csrf_exclude_uris'] = array('api/person/add');</code> + </div> <!-- END CONTENT --> |