diff options
Diffstat (limited to 'user_guide_src')
-rw-r--r-- | user_guide_src/source/installation/upgrade_320.rst | 18 | ||||
-rw-r--r-- | user_guide_src/source/libraries/input.rst | 28 |
2 files changed, 23 insertions, 23 deletions
diff --git a/user_guide_src/source/installation/upgrade_320.rst b/user_guide_src/source/installation/upgrade_320.rst index 6501f40db..8434172e7 100644 --- a/user_guide_src/source/installation/upgrade_320.rst +++ b/user_guide_src/source/installation/upgrade_320.rst @@ -159,3 +159,21 @@ CodeIgniter versions that have been removed in 3.2.0: - ``send_email()`` (use ``mail()`` instead) - The entire *Smiley Helper* (an archived version is available on GitHub: `bcit-ci/ci3-smiley-helper <https://github.com/bcit-ci/ci3-smiley-helper>`_) + +Step 8: Make sure you're validating all user inputs +=================================================== + +The :doc:`Input Library <../libraries/input>` used to (often +unconditionally) filter and/or sanitize user input in the ``$_GET``, +``$_POST`` and ``$_COOKIE`` superglobals. + +This was a legacy feature from older times, when things like +`register_globals <https://secure.php.net/register_globals>`_ and +`magic_quotes_gpc <https://secure.php.net/magic_quotes_gpc>`_ existed in +PHP. +It was a necessity back then, but this is no longer the case and reliance +on global filters is a bad practice, giving you a false sense of security. + +This functionality is now removed, and so if you've relied on it for +whatever reasons, you should double-check that you are properly validating +all user inputs in your application (as you always should do). diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst index 1961e3e57..97460c2c5 100644 --- a/user_guide_src/source/libraries/input.rst +++ b/user_guide_src/source/libraries/input.rst @@ -2,10 +2,8 @@ Input Class ########### -The Input Class serves two purposes: - -#. It pre-processes global input data for security. -#. It provides some helper methods for fetching input data and pre-processing it. +The Input Class provides some helper methods for accessing input data +and pre-processing it. .. note:: This class is initialized automatically by the system so there is no need to do it manually. @@ -17,25 +15,9 @@ The Input Class serves two purposes: <div class="custom-index container"></div> -*************** -Input Filtering -*************** - -Security Filtering -================== - -The security filtering method is called automatically when a new -:doc:`controller <../general/controllers>` is invoked. It does the -following: - -- Destroys all global variables in the event register_globals is - turned on. -- Filters the GET/POST/COOKIE array keys, permitting only alpha-numeric - (and a few other) characters. - -******************* -Accessing form data -******************* +******************** +Accessing input data +******************** Using POST, GET, COOKIE, or SERVER Data ======================================= |