diff options
Diffstat (limited to 'user_guide_src/source/libraries')
| -rw-r--r-- | user_guide_src/source/libraries/caching.rst | 3 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/encryption.rst | 28 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/input.rst | 20 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/javascript.rst | 8 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/language.rst | 2 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/loader.rst | 4 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/security.rst | 3 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/sessions.rst | 21 | ||||
| -rw-r--r-- | user_guide_src/source/libraries/uri.rst | 4 |
9 files changed, 70 insertions, 23 deletions
diff --git a/user_guide_src/source/libraries/caching.rst b/user_guide_src/source/libraries/caching.rst index 86439b4ee..f54de5faf 100644 --- a/user_guide_src/source/libraries/caching.rst +++ b/user_guide_src/source/libraries/caching.rst @@ -250,8 +250,7 @@ Redis Caching ============= Redis is an in-memory key-value store which can operate in LRU cache mode. -To use it, you need Redis server and phpredis PHP extension -`https://github.com/nicolasff/phpredis <https://github.com/nicolasff/phpredis>`_. +To use it, you need `Redis server and phpredis PHP extension <https://github.com/phpredis/phpredis>`_. Config options to connect to redis server must be stored in the application/config/redis.php file. Available options are:: diff --git a/user_guide_src/source/libraries/encryption.rst b/user_guide_src/source/libraries/encryption.rst index d445bf42f..599be4df0 100644 --- a/user_guide_src/source/libraries/encryption.rst +++ b/user_guide_src/source/libraries/encryption.rst @@ -2,6 +2,11 @@ Encryption Library ################## +.. important:: DO NOT use this or any other *encryption* library for + user password storage! Passwords must be *hashed* instead, and you + should do that via PHP's own `Password Hashing extension + <http://php.net/password>`_. + The Encryption Library provides two-way data encryption. To do so in a cryptographically secure way, it utilizes PHP extensions that are unfortunately not always available on all systems. @@ -106,6 +111,18 @@ and set:: $config['encryption_key'] = 'YOUR KEY'; +You'll notice that the ``create_key()`` method outputs binary data, which +is hard to deal with (i.e. a copy-paste may damage it), so you may use +``bin2hex()``, ``hex2bin()`` or Base64-encoding to work with the key in +a more friendly manner. For example:: + + // Get a hex-encoded representation of the key: + $key = bin2hex($this->encryption->create_key(16)); + + // Put the same value in your config with hex2bin(), + // so that it is still passed as binary to the library: + $config['encryption_key'] = hex2bin(<your hex-encoded key>); + .. _ciphers-and-modes: Supported encryption ciphers and modes @@ -465,7 +482,7 @@ The reason for not including other popular algorithms, such as MD5 or SHA1 is that they are no longer considered secure enough and as such, we don't want to encourage their usage. If you absolutely need to use them, it is easy to do so via PHP's -native `hash_hmac() <http://php.net/hash_hmac()>`_ function. +native `hash_hmac() <http://php.net/manual/en/function.hash-hmac.php>`_ function. Stronger algorithms of course will be added in the future as they appear and become widely available. @@ -525,6 +542,15 @@ Class Reference Please refer to the :ref:`custom-parameters` secrion for information on the optional parameters. + .. php:method:: create_key($length) + + :param int $length: Output length + :returns: A pseudo-random cryptographic key with the specified length, or FALSE on failure + :rtype: string + + Creates a cryptographic key by fetching random data from + the operating system's sources (i.e. /dev/urandom). + .. php:method:: hkdf($key[, $digest = 'sha512'[, $salt = NULL[, $length = NULL[, $info = '']]]]) :param string $key: Input key material diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst index 967f69d13..d9c6c2dd1 100644 --- a/user_guide_src/source/libraries/input.rst +++ b/user_guide_src/source/libraries/input.rst @@ -53,6 +53,10 @@ this:: Please refer to the :doc:`Security class <security>` documentation for information on using XSS Filtering in your application. +.. important:: The 'global_xss_filtering' setting is DEPRECATED and kept + solely for backwards-compatibility purposes. XSS escaping should + be performed on *output*, not *input*! + ******************* Accessing form data ******************* @@ -91,8 +95,14 @@ the ``$_POST`` array, because it will always exist and you can try and access multiple variables without caring that you might only have one shot at all of the POST data. -CodeIgniter will take care of that for you, and you can access data -from the **php://input** stream at any time, just by calling the +CodeIgniter will take care of that for you, and you can read the data +from the **php://input** stream at any time, just by using the +``$raw_input_stream`` property:: + + $this->input->raw_input_stream; + +Additionally if the input stream is form-encoded like $_POST you can +access its values by calling the ``input_stream()`` method:: $this->input->input_stream('key'); @@ -114,6 +124,12 @@ Class Reference .. php:class:: CI_Input + .. attribute:: $raw_input_stream + + Read only property that will return php://input data as is. + + The property can be read multiple times. + .. php:method:: post([$index = NULL[, $xss_clean = NULL]]) :param mixed $index: POST parameter name diff --git a/user_guide_src/source/libraries/javascript.rst b/user_guide_src/source/libraries/javascript.rst index 7f83b2f70..e91b9ad78 100644 --- a/user_guide_src/source/libraries/javascript.rst +++ b/user_guide_src/source/libraries/javascript.rst @@ -135,7 +135,7 @@ In the above example: keydown, keyup, load, mousedown, mouseup, mouseover, mouseup, resize, scroll, or unload. - "element_path" is any valid `jQuery selector - <http://docs.jquery.com/Selectors>`_. Due to jQuery's unique + <http://api.jquery.com/category/selectors/>`_. Due to jQuery's unique selector syntax, this is usually an element id, or CSS selector. For example "#notice_area" would effect ``<div id="notice_area">``, and "#content a.notice" would effect all anchors with a class of "notice" @@ -147,7 +147,7 @@ Effects ======= The query library supports a powerful -`Effects <http://docs.jquery.com/Effects>`_ repertoire. Before an effect +`Effects <http://api.jquery.com/category/effects/>`_ repertoire. Before an effect can be used, it must be loaded:: $this->jquery->effect([optional path] plugin name); // for example $this->jquery->effect('bounce'); @@ -201,7 +201,7 @@ animate() other additional information. For a full summary, see -`http://docs.jquery.com/Effects/animate <http://docs.jquery.com/Effects/animate>`_ +`http://api.jquery.com/animate/ <http://api.jquery.com/animate/>`_ Here is an example of an animate() called on a div with an id of "note", and triggered by a click using the jQuery library's click() event. @@ -288,7 +288,7 @@ corner() -------- Used to add distinct corners to page elements. For full details see -`http://www.malsup.com/jquery/corner/ <http://www.malsup.com/jquery/corner/>`_ +`http://malsup.com/jquery/corner/ <http://malsup.com/jquery/corner/>`_ :: diff --git a/user_guide_src/source/libraries/language.rst b/user_guide_src/source/libraries/language.rst index ee1cefcd0..de17c8288 100644 --- a/user_guide_src/source/libraries/language.rst +++ b/user_guide_src/source/libraries/language.rst @@ -19,7 +19,7 @@ your **application/language/** directory, with separate sub-directories for each The CodeIgniter framework comes with a set of language files for the "english" idiom. Additional approved translations for different idioms may be found in the -`CodeIgniter 3 Translations repositories <https://github.com/codeigniter3-translations>`_. +`CodeIgniter 3 Translations repositories <https://github.com/bcit-ci/codeigniter3-translations>`_. Each repository deals with a single idiom. When CodeIgniter loads language files, it will load the one in **system/language/** diff --git a/user_guide_src/source/libraries/loader.rst b/user_guide_src/source/libraries/loader.rst index efa9d519b..228d5e478 100644 --- a/user_guide_src/source/libraries/loader.rst +++ b/user_guide_src/source/libraries/loader.rst @@ -238,7 +238,7 @@ Class Reference The second **optional** parameter can take an associative array or an object as input, which it runs through the PHP - `extract() <http://www.php.net/extract>`_ function to convert to variables + `extract() <http://php.net/extract>`_ function to convert to variables that can be used in your view files. Again, read the :doc:`Views <../general/views>` page to learn how this might be useful. @@ -259,7 +259,7 @@ Class Reference :rtype: CI_Loader This method takes an associative array as input and generates - variables using the PHP `extract() <http://www.php.net/extract>`_ + variables using the PHP `extract() <http://php.net/extract>`_ function. This method produces the same result as using the second parameter of the ``$this->load->view()`` method above. The reason you might want to use this method independently is if you would like to diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index 27e6e561b..ac56fc589 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -41,9 +41,6 @@ application/config/config.php file and setting this:: $config['global_xss_filtering'] = TRUE; -.. note:: If you use the form validation class, it gives you the option of - XSS filtering as well. - An optional second parameter, *is_image*, allows this function to be used to test images for potential XSS attacks, useful for file upload security. When this second parameter is set to TRUE, instead of diff --git a/user_guide_src/source/libraries/sessions.rst b/user_guide_src/source/libraries/sessions.rst index c8a1f1925..2034ed2b0 100644 --- a/user_guide_src/source/libraries/sessions.rst +++ b/user_guide_src/source/libraries/sessions.rst @@ -363,7 +363,7 @@ To read a tempdata variable, again you can just access it through the .. important:: The ``userdata()`` method will NOT return tempdata items. -Or if you want to be sure that you're reading "flashdata" (and not any +Or if you want to be sure that you're reading "tempdata" (and not any other kind), you can also use the ``tempdata()`` method:: $this->session->tempdata('item'); @@ -569,9 +569,10 @@ However, there are some conditions that must be met: - Only your **default** database connection (or the one that you access as ``$this->db`` from your controllers) can be used. - - You can NOT use a persistent connection. - You must have the :doc:`Query Builder </database/query_builder>` enabled. + - You can NOT use a persistent connection. + - You can NOT use a connection with the *cache_on* setting enabled. In order to use the 'database' session driver, you must also create this table that we already mentioned and then set it as your @@ -596,7 +597,7 @@ For MySQL:: `id` varchar(40) NOT NULL, `ip_address` varchar(45) NOT NULL, `timestamp` int(10) unsigned DEFAULT 0 NOT NULL, - `data` blob DEFAULT '' NOT NULL, + `data` blob NOT NULL, PRIMARY KEY (id), KEY `ci_sessions_timestamp` (`timestamp`) ); @@ -630,12 +631,16 @@ also do the following, after creating the table:: Redis Driver ------------ +.. note:: Since Redis doesn't have a locking mechanism exposed, locks for + this driver are emulated by a separate value that is kept for up + to 300 seconds. + Redis is a storage engine typically used for caching and popular because of its high performance, which is also probably your reason to use the 'redis' session driver. The downside is that it is not as ubiquitous as relational databases and -requires the `phpredis <https://github.com/nicolasff/phpredis>`_ PHP +requires the `phpredis <https://github.com/phpredis/phpredis>`_ PHP extension to be installed on your system, and that one doesn't come bundled with PHP. Chances are, you're only be using the 'redis' driver only if you're already @@ -663,6 +668,10 @@ sufficient:: Memcached Driver ---------------- +.. note:: Since Memcache doesn't have a locking mechanism exposed, locks + for this driver are emulated by a separate value that is kept for + up to 300 seconds. + The 'memcached' driver is very similar to the 'redis' one in all of its properties, except perhaps for availability, because PHP's `Memcached <http://php.net/memcached>`_ extension is distributed via PECL and some @@ -828,7 +837,7 @@ Class Reference .. note:: This method is DEPRECATED. Use ``userdata()`` with no parameters instead. - .. php:method:: &get_usedata() + .. php:method:: &get_userdata() :returns: A reference to ``$_SESSION`` :rtype: array @@ -1045,4 +1054,4 @@ Class Reference $this->session->foo = 'bar'; // Results in: - // $_SESSION['foo'] = 'bar';
\ No newline at end of file + // $_SESSION['foo'] = 'bar'; diff --git a/user_guide_src/source/libraries/uri.rst b/user_guide_src/source/libraries/uri.rst index ae56184cc..4d38c1d22 100644 --- a/user_guide_src/source/libraries/uri.rst +++ b/user_guide_src/source/libraries/uri.rst @@ -110,7 +110,7 @@ Class Reference :returns: Associative URI segments array :rtype: array - This method lets you turn URI segments into and associative array of + This method lets you turn URI segments into an associative array of key/value pairs. Consider this URI:: index.php/user/search/name/joe/location/UK/gender/male @@ -230,4 +230,4 @@ Class Reference This method is identical to ``segment_array()``, except that it returns the array of segments in your re-routed URI in the event you are using - CodeIgniter's :doc:`URI Routing <../general/routing>` feature.
\ No newline at end of file + CodeIgniter's :doc:`URI Routing <../general/routing>` feature. |