From 2067d1a727e7eb5e5ffb40e967f3d1fc4c8a41b2 Mon Sep 17 00:00:00 2001 From: Derek Allard Date: Thu, 13 Nov 2008 22:59:24 +0000 Subject: Changing EOL style to LF --- user_guide/general/security.html | 304 +++++++++++++++++++-------------------- 1 file changed, 152 insertions(+), 152 deletions(-) (limited to 'user_guide/general/security.html') diff --git a/user_guide/general/security.html b/user_guide/general/security.html index 8b6eba8cb..236b29b4d 100644 --- a/user_guide/general/security.html +++ b/user_guide/general/security.html @@ -1,153 +1,153 @@ - - - - - -Security : CodeIgniter User Guide - - - - - - - - - - - - - - - - - - - - - -
- - - - - -

CodeIgniter User Guide Version 1.7

-
- - - - - - - - - -
- - -
- - - -
- -

Security

- -

This page describes some "best practices" regarding web security, and details -CodeIgniter's internal security features.

- - -

URI Security

- -

CodeIgniter is fairly restrictive regarding which characters it allows in your URI strings in order to help -minimize the possibility that malicious data can be passed to your application. URIs may only contain the following: -

- - - -

GET, POST, and COOKIE Data

- -

GET data is simply disallowed by CodeIgniter since the system utilizes URI segments rather than traditional URL query strings (unless -you have the query string option enabled in your config file). The global GET -array is unset by the Input class during system initialization.

- -

Register_globals

- -

During system initialization all global variables are unset, except those found in the $_POST and $_COOKIE arrays. The unsetting -routine is effectively the same as register_globals = off.

- - -

magic_quotes_runtime

- -

The magic_quotes_runtime directive is turned off during system initialization so that you don't have to remove slashes when -retrieving data from your database.

- -

Best Practices

- -

Before accepting any data into your application, whether it be POST data from a form submission, COOKIE data, URI data, -XML-RPC data, or even data from the SERVER array, you are encouraged to practice this three step approach:

- -
    -
  1. Filter the data as if it were tainted.
  2. -
  3. Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)
  4. -
  5. Escape the data before submitting it into your database.
  6. -
- -

CodeIgniter provides the following functions to assist in this process:

- - - - - - -
- - - - - - + + + + + +Security : CodeIgniter User Guide + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +

CodeIgniter User Guide Version 1.7

+
+ + + + + + + + + +
+ + +
+ + + +
+ +

Security

+ +

This page describes some "best practices" regarding web security, and details +CodeIgniter's internal security features.

+ + +

URI Security

+ +

CodeIgniter is fairly restrictive regarding which characters it allows in your URI strings in order to help +minimize the possibility that malicious data can be passed to your application. URIs may only contain the following: +

+ + + +

GET, POST, and COOKIE Data

+ +

GET data is simply disallowed by CodeIgniter since the system utilizes URI segments rather than traditional URL query strings (unless +you have the query string option enabled in your config file). The global GET +array is unset by the Input class during system initialization.

+ +

Register_globals

+ +

During system initialization all global variables are unset, except those found in the $_POST and $_COOKIE arrays. The unsetting +routine is effectively the same as register_globals = off.

+ + +

magic_quotes_runtime

+ +

The magic_quotes_runtime directive is turned off during system initialization so that you don't have to remove slashes when +retrieving data from your database.

+ +

Best Practices

+ +

Before accepting any data into your application, whether it be POST data from a form submission, COOKIE data, URI data, +XML-RPC data, or even data from the SERVER array, you are encouraged to practice this three step approach:

+ +
    +
  1. Filter the data as if it were tainted.
  2. +
  3. Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)
  4. +
  5. Escape the data before submitting it into your database.
  6. +
+ +

CodeIgniter provides the following functions to assist in this process:

+ + + + + + +
+ + + + + + \ No newline at end of file -- cgit v1.2.3-24-g4f1b