From b0dd10f8171945e0c1f3527dd1e9d18b043e01a7 Mon Sep 17 00:00:00 2001 From: admin Date: Fri, 25 Aug 2006 17:25:49 +0000 Subject: Initial Import --- user_guide/general/security.html | 159 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 user_guide/general/security.html (limited to 'user_guide/general/security.html') diff --git a/user_guide/general/security.html b/user_guide/general/security.html new file mode 100644 index 000000000..06287a23b --- /dev/null +++ b/user_guide/general/security.html @@ -0,0 +1,159 @@ + + + + +Code Igniter User Guide + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +

Code Igniter User Guide Version 1.4.0

+
+ + + + + + + + + +
+ + +
+ + + +
+ +

Security

+ +

This page describes some "best practices" regarding web security, and details +Code Igniter's internal security features.

+ + +

URI Security

+ +

Code Igniter is fairly restrictive regarding which characters it allows in your URI strings in order to help +minimize the possibility that malicious data can be passed to your application. URIs may only contain the following: +

+ + + +

GET, POST, and COOKIE Data

+ +

GET data is simply disallowed by Code Igniter since the system utilizes URI segments rather than traditional URL query strings (unless +you have the query string option enabled in your config file). The global GET +array is unset by the Input class during system initialization.

+ +

Register_globals

+ +

During system initialization all global variables are unset, except those found in the $_POST and $_COOKIE arrays. The unsetting +routine is effectively the same as register_globals = off.

+ + +

magic_quotes_runtime

+ +

The magic_quotes_runtime directive is turned off during system initialization so that you don't have to remove slashes when +retrieving data from your database.

+ +


Best Practices

+ +

Before accepting any data into your application, whether it be POST data from a form submission, COOKIE data, URI data, +XML-RPC data, or even data from the SERVER array, you are encouraged to practice this three step approach:

+ +
    + +
  1. Filter the data as if it were tainted.
  2. +
  3. Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)
  4. +
  5. Escape the data before submitting it into your database.
  6. +
+ +Code Igniter provides the following functions to assist in this process:

+ + + + + + +
+ + + + + + + \ No newline at end of file -- cgit v1.2.3-24-g4f1b