Date: Thu, 13 Nov 2008 22:59:24 +0000 Subject: Changing EOL style to LF --- user_guide/general/security.html | 304 +++++++++++++++++++-------------------- 1 file changed, 152 insertions(+), 152 deletions(-) (limited to 'user_guide/general/security.html') diff --git a/user_guide/general/security.html b/user_guide/general/security.html index 8b6eba8cb..236b29b4d 100644 --- a/user_guide/general/security.html +++ b/user_guide/general/security.html @@ -1,153 +1,153 @@ - - - - - -Security : CodeIgniter User Guide - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - -

- - -
- - - -

- -

Security

- -

This page describes some "best practices" regarding web security, and details -CodeIgniter's internal security features.

- - -

URI Security

- -

CodeIgniter is fairly restrictive regarding which characters it allows in your URI strings in order to help -minimize the possibility that malicious data can be passed to your application. URIs may only contain the following: -

- -

Alpha-numeric text
Tilde: ~
Period: .
Colon: :
Underscore: _
Dash: -

- -

GET, POST, and COOKIE Data

- -

GET data is simply disallowed by CodeIgniter since the system utilizes URI segments rather than traditional URL query strings (unless -you have the query string option enabled in your config file). The global GET -array is unset by the Input class during system initialization.

- -

Register_globals

- -

During system initialization all global variables are unset, except those found in the $_POST and $_COOKIE arrays. The unsetting -routine is effectively the same as register_globals = off.

- - -

magic_quotes_runtime

- -

The magic_quotes_runtime directive is turned off during system initialization so that you don't have to remove slashes when -retrieving data from your database.

- -

Best Practices

- -

Before accepting any data into your application, whether it be POST data from a form submission, COOKIE data, URI data, -XML-RPC data, or even data from the SERVER array, you are encouraged to practice this three step approach:

- -

Filter the data as if it were tainted.
Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)
Escape the data before submitting it into your database.

- -

CodeIgniter provides the following functions to assist in this process:

- -

XSS Filtering
- -
CodeIgniter comes with a Cross Site Scripting filter. This filter looks for commonly -used techniques to embed malicious Javascript into your data, or other types of code that attempt to hijack cookies -or do other malicious things. The XSS Filter is described here. -
-
Validate the data
- -
CodeIgniter has a Form Validation Class that assists you in validating, filtering, and prepping -your data.
-
Escape all data before database insertion
- -
Never insert information into your database without escaping it. Please see the section that discusses -queries for more information.
- -

- - - - -

- - - - - - + + + + + +Security : CodeIgniter User Guide + + + + + + + + + + + + + + + + + + + +

+ + + + + + + + + + +

+ + +
+ + + +

+ +

Security

+ +

This page describes some "best practices" regarding web security, and details +CodeIgniter's internal security features.

+ + +

URI Security

+ +

CodeIgniter is fairly restrictive regarding which characters it allows in your URI strings in order to help +minimize the possibility that malicious data can be passed to your application. URIs may only contain the following: +

+ +

Alpha-numeric text
Tilde: ~
Period: .
Colon: :
Underscore: _
Dash: -

+ +

GET, POST, and COOKIE Data

+ +

GET data is simply disallowed by CodeIgniter since the system utilizes URI segments rather than traditional URL query strings (unless +you have the query string option enabled in your config file). The global GET +array is unset by the Input class during system initialization.

+ +

Register_globals

+ +

During system initialization all global variables are unset, except those found in the $_POST and $_COOKIE arrays. The unsetting +routine is effectively the same as register_globals = off.

+ + +

magic_quotes_runtime

+ +

The magic_quotes_runtime directive is turned off during system initialization so that you don't have to remove slashes when +retrieving data from your database.

+ +

Best Practices

+ +

Before accepting any data into your application, whether it be POST data from a form submission, COOKIE data, URI data, +XML-RPC data, or even data from the SERVER array, you are encouraged to practice this three step approach:

+ +

Filter the data as if it were tainted.
Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)
Escape the data before submitting it into your database.

+ +

CodeIgniter provides the following functions to assist in this process:

+ +

XSS Filtering
+ +
CodeIgniter comes with a Cross Site Scripting filter. This filter looks for commonly +used techniques to embed malicious Javascript into your data, or other types of code that attempt to hijack cookies +or do other malicious things. The XSS Filter is described here. +
+
Validate the data
+ +
CodeIgniter has a Form Validation Class that assists you in validating, filtering, and prepping +your data.
+
Escape all data before database insertion
+ +
Never insert information into your database without escaping it. Please see the section that discusses +queries for more information.
+ +

+ + + + +

+ + + + + + \ No newline at end of file -- cgit v1.2.3-24-g4f1b

CodeIgniter User Guide Version 1.7

Security

URI Security

GET, POST, and COOKIE Data

Register_globals

magic_quotes_runtime

Best Practices

XSS Filtering

Validate the data

Escape all data before database insertion

CodeIgniter User Guide Version 1.7

Security

URI Security

GET, POST, and COOKIE Data

Register_globals

magic_quotes_runtime

Best Practices

XSS Filtering

Validate the data

Escape all data before database insertion