diff options
Diffstat (limited to 'user_guide_src/source')
-rw-r--r-- | user_guide_src/source/changelog.rst | 13 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_300.rst | 65 | ||||
-rw-r--r-- | user_guide_src/source/libraries/form_validation.rst | 33 | ||||
-rw-r--r-- | user_guide_src/source/libraries/input.rst | 3 |
4 files changed, 99 insertions, 15 deletions
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index ff7c09b48..c186781d1 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -20,6 +20,7 @@ Release Date: Not Released - PHP 5.1.6 is no longer supported. CodeIgniter now requires PHP 5.2.4. - Changed filenaming convention (class file names now must be Ucfirst and everything else in lowercase). + - Changed the default database driver to 'mysqli' (the old 'mysql' driver is DEPRECATED). - ``$_SERVER['CI_ENV']`` can now be set to control the ``ENVIRONMENT`` constant. - Added an optional backtrace to php-error template. - Added Android to the list of user agents. @@ -58,6 +59,7 @@ Release Date: Not Released - Added support non-HTML error templates for CLI applications. - Added availability checks where usage of dangerous functions like ``eval()`` and ``exec()`` is required. - Added support for changing the file extension of log files using ``$config['log_file_extension']``. + - Added support for turning newline standardization on/off via ``$config['standardize_newlines']``. - Helpers @@ -138,6 +140,7 @@ Release Date: Not Released - Database + - DEPRECATED the 'mysql', 'sqlite', 'mssql' and 'pdo/dblib' (also known as 'pdo/mssql' or 'pdo/sybase') drivers. - Added **dsn** configuration setting for drivers that support DSN strings (PDO, PostgreSQL, Oracle, ODBC, CUBRID). - Added **schema** configuration setting (defaults to *public*) for drivers that might need it (currently used by PostgreSQL and ODBC). - Added subdrivers support (currently only used by PDO). @@ -316,6 +319,7 @@ Release Date: Not Released - Added support for named parameters in error messages. - :doc:`Language <libraries/language>` line keys must now be prefixed with **form_validation_**. - Added rule **alpha_numeric_spaces**. + - Added support for custom error messages per field rule. - :doc:`Caching Library <libraries/caching>` changes include: @@ -371,7 +375,11 @@ Release Date: Not Released - Added the ability to use a proxy. - Added Basic HTTP authentication support. - - :doc:`User Agent Library <libraries/user_agent>` will now check if robots are pretending to be mobile clients (helps with e.g. Google indexing mobile website versions). + - :doc:`User Agent Library <libraries/user_agent>` changes include: + + - Added check to detect if robots are pretending to be mobile clients (helps with e.g. Google indexing mobile website versions). + - Added method ``parse()`` to allow parsing a custom user-agent string, different from the current visitor's. + - Added support for setting :doc:`Table <libraries/table>` class defaults in a config file. - :doc:`Zip Library <libraries/zip>` method ``read_file()`` can now also alter the original file path/name while adding files to an archive. @@ -407,6 +415,7 @@ Release Date: Not Released - Changed method ``valid_ip()`` to use PHP's native ``filter_var()`` function. - Changed internal method ``_sanitize_globals()`` to skip enforcing reversal of *register_globals* in PHP 5.4+, where this functionality no longer exists. - Changed methods ``get()``, ``post()``, ``get_post()``, ``cookie()``, ``server()``, ``user_agent()`` to return NULL instead of FALSE when no value is found. + - Changed default value of the ``$xss_clean`` parameter to NULL for all methods that utilize it, the default value is now determined by the ``$config['global_xss_filtering']`` setting. - Added method ``post_get()`` and changed ``get_post()`` to search in GET data first. Both methods' names now properly match their GET/POST data search priorities. - Changed method ``_fetch_from_array()`` to parse array notation in field name. - Added an option for ``_clean_input_keys()`` to return FALSE instead of terminating the whole script. @@ -651,6 +660,8 @@ Bug fixes for 3.0 - Fixed a bug (#2143) - :doc:`Form Validation Library <libraries/form_validation>` didn't check for rule groups named in a *controller/method* manner when trying to load from a config file. - Fixed a bug (#2762) - :doc:`Hooks Class <general/hooks>` didn't properly check if the called class/function exists. - Fixed a bug (#148) - while sanitizing input data, ``CI_Input::_clean_input_data()`` assumed that it is URL-encoded, stripping certain character sequences from it. +- Fixed a bug (#346) - with ``$config['global_xss_filtering']`` turned on, the ``$_GET``, ``$_POST``, ``$_COOKIE`` and ``$_SERVER`` superglobals were overwritten during initialization time, resulting in XSS filtering being either performed twice or there was no possible way to get the original data, even though options for this do exist. +- Fixed an edge case (#555) - incorrect browser version was reported for Opera 10+ due to a non-standard user-agent string. Version 2.1.4 ============= diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 41153df16..ca7569b57 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -188,8 +188,39 @@ Many methods and functions now return NULL instead of FALSE when the required it - element() - elements() +******************************* +Step 11: Usage of XSS filtering +******************************* + +Many functions in CodeIgniter allow you to use its XSS filtering feature +on demand by passing a boolean parameter. The default value of that +parameter used to be boolean FALSE, but it is now changed to NULL and it +will be dynamically determined by your ``$config['global_xss_filtering']`` +value. + +If you used to manually pass a boolean value for the ``$xss_filter`` +parameter or if you've always had ``$config['global_xss_filtering']`` set +to FALSE, then this change doesn't concern you. + +Otherwise however, please review your usage of the following functions: + + - :doc:`Input Library <../libraries/input>` + + - input->get() + - input->post() + - input->get_post() + - input->cookie() + - input->server() + - input->input_stream() + + - :doc:`Cookie Helper <../helpers/cookie_helper>` :func:`get_cookie()` + +.. important:: Another related change is that the ``$_GET``, ``$_POST``, + ``$_COOKIE`` and ``$_SERVER`` superglobals are no longer + automatically overwritten when global XSS filtering is turned on. + ******************************************************** -Step 11: Update usage of Input Class's get_post() method +Step 12: Update usage of Input Class's get_post() method ******************************************************** Previously, the :doc:`Input Class <../libraries/input>` method ``get_post()`` @@ -200,14 +231,14 @@ A method has been added, ``post_get()``, which searches in POST then in GET, as ``get_post()`` was doing before. *********************************************************************** -Step 12: Update usage of Directory Helper's directory_map() function +Step 13: Update usage of Directory Helper's directory_map() function *********************************************************************** In the resulting array, directories now end with a trailing directory separator (i.e. a slash, usually). ************************************************************* -Step 13: Update usage of Database Forge's drop_table() method +Step 14: Update usage of Database Forge's drop_table() method ************************************************************* Up until now, ``drop_table()`` added an IF EXISTS clause by default or it didn't work @@ -229,7 +260,7 @@ If your application relies on IF EXISTS, you'll have to change its usage. all drivers with the exception of ODBC. *********************************************************** -Step 14: Change usage of Email library with multiple emails +Step 15: Change usage of Email library with multiple emails *********************************************************** The :doc:`Email Library <../libraries/email>` will automatically clear the @@ -244,7 +275,7 @@ pass FALSE as the first parameter in the ``send()`` method: } *************************************************** -Step 15: Update your Form_validation language lines +Step 16: Update your Form_validation language lines *************************************************** Two improvements have been made to the :doc:`Form Validation Library @@ -275,7 +306,7 @@ files and error messages format: later. **************************************************************** -Step 16: Remove usage of (previously) deprecated functionalities +Step 17: Remove usage of (previously) deprecated functionalities **************************************************************** In addition to the ``$autoload['core']`` configuration setting, there's a @@ -302,6 +333,26 @@ Smiley helper js_insert_smiley() :doc:`Smiley Helper <../helpers/smiley_helper>` function ``js_insert_smiley()`` has been deprecated since CodeIgniter 1.7.2 and is now removed. You'll need to switch to ``smiley_js()`` instead. +Database drivers 'mysql', 'sqlite', 'mssql', 'pdo/dblib' +======================================================== + +The **mysql** driver utilizes the old 'mysql' PHP extension, known for its aging code base and +many low-level problems. The extension is deprecated as of PHP 5.5 and CodeIgniter deprecates +it in version 3.0, switching the default configured MySQL driver to **mysqli**. + +Please use either the 'mysqli' or 'pdo/mysql' drivers for MySQL. The old 'mysql' driver will be +removed at some point in the future. + +The **sqlite**, **mssql** and **pdo/dblib** (also known as pdo/mssql or pdo/sybase) drivers +all depend on PHP extensions that for different reasons no longer exist since PHP 5.3. + +Therefore we are now deprecating these drivers as we will have to remove them in one of the next +CodeIgniter versions. You should use the more advanced, **sqlite3**, **sqlsrv** or **pdo/sqlsrv** +drivers respectively. + +.. note:: These drivers are still available, but you're strongly encouraged to switch to other ones + sooner rather than later. + Security helper do_hash() ========================= @@ -491,7 +542,7 @@ CodeIgniter 3.1+. sooner rather than later. *********************************************************** -Step 17: Check your usage of Text helper highlight_phrase() +Step 18: Check your usage of Text helper highlight_phrase() *********************************************************** The default HTML tag used by :doc:`Text Helper <../helpers/text_helper>` function diff --git a/user_guide_src/source/libraries/form_validation.rst b/user_guide_src/source/libraries/form_validation.rst index 8534175bb..1076b1433 100644 --- a/user_guide_src/source/libraries/form_validation.rst +++ b/user_guide_src/source/libraries/form_validation.rst @@ -200,6 +200,7 @@ The above method takes **three** parameters as input: message. For example, if your field is named "user" you might give it a human name of "Username". #. The validation rules for this form field. +#. (optional) Set custom error messages on any rules given for current field. If not provided will use the default one. .. note:: If you would like the field name to be stored in a language file, please see :ref:`translating-field-names`. @@ -225,7 +226,9 @@ Your controller should now look like this:: $this->load->library('form_validation'); $this->form_validation->set_rules('username', 'Username', 'required'); - $this->form_validation->set_rules('password', 'Password', 'required'); + $this->form_validation->set_rules('password', 'Password', 'required', + array('required' => 'You must provide a %s.') + ); $this->form_validation->set_rules('passconf', 'Password Confirmation', 'required'); $this->form_validation->set_rules('email', 'Email', 'required'); @@ -263,7 +266,10 @@ you use this approach, you must name your array keys as indicated:: array( 'field' => 'password', 'label' => 'Password', - 'rules' => 'required' + 'rules' => 'required', + 'errors' => array( + 'required' => 'You must provide a %s.', + ), ), array( 'field' => 'passconf', @@ -285,7 +291,14 @@ Cascading Rules CodeIgniter lets you pipe multiple rules together. Let's try it. Change your rules in the third parameter of rule setting method, like this:: - $this->form_validation->set_rules('username', 'Username', 'required|min_length[5]|max_length[12]|is_unique[users.username]'); + $this->form_validation->set_rules( + 'username', 'Username', + 'required|min_length[5]|max_length[12]|is_unique[users.username]', + array( + 'required' => 'You have not provided %s.', + 'is_unique' => 'This %s already exists.' + ) + ); $this->form_validation->set_rules('password', 'Password', 'required'); $this->form_validation->set_rules('passconf', 'Password Confirmation', 'required|matches[password]'); $this->form_validation->set_rules('email', 'Email', 'required|valid_email|is_unique[users.email]'); @@ -469,11 +482,18 @@ Setting Error Messages All of the native error messages are located in the following language file: **system/language/english/form_validation_lang.php** -To set your own custom message you can either edit that file, or use the -following method:: +To set your own global custom message for a rule, you can either +edit that file, or use the following method:: $this->form_validation->set_message('rule', 'Error Message'); +If you need to set a custom error message for a particular field on +some particular rule, use the set_rules() method:: + + $this->form_validation->set_rules('field_name', 'Field Label', 'rule1|rule2|rule3', + array('rule2' => 'Error Message on rule2 for this field_name') + ); + Where rule corresponds to the name of a particular rule, and Error Message is the text you would like displayed. @@ -941,11 +961,12 @@ The following methods are intended for use in your controller. $this->form_validation->set_rules() =================================== - .. php:method:: set_rules ($field, $label = '', $rules = '') + .. php:method:: set_rules ($field, $label = '', $rules = '', $errors = array()) :param string $field: The field name :param string $label: The field label :param mixed $rules: The rules, as a string with rules separated by a pipe "|", or an array or rules. + :param array $errors: Custom error messages :rtype: Object Permits you to set validation rules, as described in the tutorial diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst index b58ed2f0d..72746c147 100644 --- a/user_guide_src/source/libraries/input.rst +++ b/user_guide_src/source/libraries/input.rst @@ -25,7 +25,8 @@ following: (and a few other) characters. - Provides XSS (Cross-site Scripting Hacks) filtering. This can be enabled globally, or upon request. -- Standardizes newline characters to \\n(In Windows \\r\\n) +- Standardizes newline characters to ``PHP_EOL`` (\\n in UNIX-based OSes, + \\r\\n under Windows). This is configurable. XSS Filtering ============= |