summaryrefslogtreecommitdiffstats
path: root/user_guide_src
diff options
context:
space:
mode:
Diffstat (limited to 'user_guide_src')
-rw-r--r--user_guide_src/source/installation/upgrade_320.rst18
-rw-r--r--user_guide_src/source/libraries/input.rst28
2 files changed, 23 insertions, 23 deletions
diff --git a/user_guide_src/source/installation/upgrade_320.rst b/user_guide_src/source/installation/upgrade_320.rst
index 6501f40db..8434172e7 100644
--- a/user_guide_src/source/installation/upgrade_320.rst
+++ b/user_guide_src/source/installation/upgrade_320.rst
@@ -159,3 +159,21 @@ CodeIgniter versions that have been removed in 3.2.0:
- ``send_email()`` (use ``mail()`` instead)
- The entire *Smiley Helper* (an archived version is available on GitHub: `bcit-ci/ci3-smiley-helper <https://github.com/bcit-ci/ci3-smiley-helper>`_)
+
+Step 8: Make sure you're validating all user inputs
+===================================================
+
+The :doc:`Input Library <../libraries/input>` used to (often
+unconditionally) filter and/or sanitize user input in the ``$_GET``,
+``$_POST`` and ``$_COOKIE`` superglobals.
+
+This was a legacy feature from older times, when things like
+`register_globals <https://secure.php.net/register_globals>`_ and
+`magic_quotes_gpc <https://secure.php.net/magic_quotes_gpc>`_ existed in
+PHP.
+It was a necessity back then, but this is no longer the case and reliance
+on global filters is a bad practice, giving you a false sense of security.
+
+This functionality is now removed, and so if you've relied on it for
+whatever reasons, you should double-check that you are properly validating
+all user inputs in your application (as you always should do).
diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst
index 1961e3e57..97460c2c5 100644
--- a/user_guide_src/source/libraries/input.rst
+++ b/user_guide_src/source/libraries/input.rst
@@ -2,10 +2,8 @@
Input Class
###########
-The Input Class serves two purposes:
-
-#. It pre-processes global input data for security.
-#. It provides some helper methods for fetching input data and pre-processing it.
+The Input Class provides some helper methods for accessing input data
+and pre-processing it.
.. note:: This class is initialized automatically by the system so there
is no need to do it manually.
@@ -17,25 +15,9 @@ The Input Class serves two purposes:
<div class="custom-index container"></div>
-***************
-Input Filtering
-***************
-
-Security Filtering
-==================
-
-The security filtering method is called automatically when a new
-:doc:`controller <../general/controllers>` is invoked. It does the
-following:
-
-- Destroys all global variables in the event register_globals is
- turned on.
-- Filters the GET/POST/COOKIE array keys, permitting only alpha-numeric
- (and a few other) characters.
-
-*******************
-Accessing form data
-*******************
+********************
+Accessing input data
+********************
Using POST, GET, COOKIE, or SERVER Data
=======================================