diff options
Diffstat (limited to 'user_guide_src/source/general/security.rst')
| -rw-r--r-- | user_guide_src/source/general/security.rst | 51 |
1 files changed, 35 insertions, 16 deletions
diff --git a/user_guide_src/source/general/security.rst b/user_guide_src/source/general/security.rst index 4d7a213d1..984ca840b 100644 --- a/user_guide_src/source/general/security.rst +++ b/user_guide_src/source/general/security.rst @@ -13,38 +13,40 @@ in your URI strings in order to help minimize the possibility that malicious data can be passed to your application. URIs may only contain the following: -- Alpha-numeric text +- Alpha-numeric text (latin characters only) - Tilde: ~ - Period: . - Colon: : - Underscore: \_ - Dash: - +- Pipe: | Register_globals ================= During system initialization all global variables are unset, except -those found in the $_GET, $_POST, and $_COOKIE arrays. The unsetting -routine is effectively the same as register_globals = off. +those found in the ``$_GET``, ``$_POST``, and ``$_COOKIE`` arrays. +The unsetting routine is effectively the same as +*register_globals = off*. -error_reporting -================ +display_errors +============== -In production environments, it is typically desirable to disable PHP's -error reporting by setting the internal error_reporting flag to a value +In production environments, it is typically desirable to "disable" PHP's +error reporting by setting the internal *display_errors* flag to a value of 0. This disables native PHP errors from being rendered as output, which may potentially contain sensitive information. Setting CodeIgniter's **ENVIRONMENT** constant in index.php to a value of **\'production\'** will turn off these errors. In development mode, it is recommended that a value of 'development' is used. More information -about differentiating between environments can be found on the :doc:`Handling -Environments <environments>` page. +about differentiating between environments can be found on the +:doc:`Handling Environments <environments>` page. magic_quotes_runtime -====================== +==================== -The magic_quotes_runtime directive is turned off during system +The *magic_quotes_runtime* directive is turned off during system initialization so that you don't have to remove slashes when retrieving data from your database. @@ -68,7 +70,7 @@ XSS Filtering ============= CodeIgniter comes with a Cross Site Scripting filter. This filter -looks for commonly used techniques to embed malicious Javascript into +looks for commonly used techniques to embed malicious JavaScript into your data, or other types of code that attempt to hijack cookies or do other malicious things. The XSS Filter is described :doc:`here <../libraries/security>`. @@ -76,15 +78,32 @@ do other malicious things. The XSS Filter is described Validate the data ================= -CodeIgniter has a :doc:`Form Validation -Class <../libraries/form_validation>` that assists you in +CodeIgniter has a :doc:`Form Validation Library +<../libraries/form_validation>` that assists you in validating, filtering, and prepping your data. Escape all data before database insertion ========================================= Never insert information into your database without escaping it. -Please see the section that discusses -:doc:`queries <../database/queries>` for more information. +Please see the section that discusses :doc:`database queries +<../database/queries>` for more information. +Hide your files +=============== +Another good security practice is to only leave your *index.php* +and "assets" (e.g. .js, css and image files) under your server's +*webroot* directory (most commonly named "htdocs/"). These are +the only files that you would need to be accessible from the web. + +Allowing your visitors to see anything else would potentially +allow them to access sensitive data, execute scripts, etc. + +If you're not allowed to do that, you can try using a .htaccess +file to restrict access to those resources. + +CodeIgniter will have an index.html file in all of its +directories in an attempt to hide some of this data, but have +it in mind that this is not enough to prevent a serious +attacker.
\ No newline at end of file |