From 2dce1ffda218456e19f28edce8b0d74122f4d55c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 24 Oct 2012 20:49:04 +0300 Subject: Fix #1268 (or rather enforce some security measures, there's nothing really broken) --- user_guide_src/source/changelog.rst | 1 + user_guide_src/source/libraries/language.rst | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'user_guide_src/source') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index de5ec4758..92f6a03ef 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -219,6 +219,7 @@ Release Date: Not Released - :doc:`Encryption Library ` changes include: - Added support for hashing algorithms other than SHA1 and MD5. - Removed previously deprecated ``sha1()`` method. + - Changed :doc:`Language Library ` method ``load()`` to filter the language name with ``ctype_digit()``. - Core diff --git a/user_guide_src/source/libraries/language.rst b/user_guide_src/source/libraries/language.rst index ec678cd21..b231f14a3 100644 --- a/user_guide_src/source/libraries/language.rst +++ b/user_guide_src/source/libraries/language.rst @@ -54,7 +54,9 @@ first. Loading a language file is done with the following code:: Where filename is the name of the file you wish to load (without the file extension), and language is the language set containing it (ie, english). If the second parameter is missing, the default language set -in your application/config/config.php file will be used. +in your *application/config/config.php* file will be used. + +.. note:: The *language* parameter can only consist of letters. Fetching a Line of Text ======================= @@ -67,8 +69,7 @@ text using this function:: Where language_key is the array key corresponding to the line you wish to show. -Note: This function simply returns the line. It does not echo it for -you. +.. note:: This method simply returns the line. It does not echo it. Using language lines as form labels ----------------------------------- -- cgit v1.2.3-24-g4f1b From f795ab52dadaef20afd3a97ad4c8ed408e211dc2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 24 Oct 2012 21:28:25 +0300 Subject: [ci skip] Document get_csrf_token_name(), get_csrf_hash() (issue #715) --- user_guide_src/source/libraries/security.rst | 45 +++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 7 deletions(-) (limited to 'user_guide_src/source') diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index e7d25555f..05553142f 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -26,7 +26,7 @@ processing since it requires a fair amount of processing overhead. To filter data through the XSS filter use this function: $this->security->xss_clean() -============================= +============================ Here is an usage example:: @@ -56,7 +56,7 @@ browser may attempt to execute. } $this->security->sanitize_filename() -===================================== +==================================== When accepting filenames from user input, it is best to sanitize them to prevent directory traversal and other security related issues. To do so, @@ -76,16 +76,35 @@ parameter, $relative_path to TRUE. Cross-site request forgery (CSRF) ================================= -You can enable csrf protection by opening your +You can enable CSRF protection by opening your application/config/config.php file and setting this:: $config['csrf_protection'] = TRUE; -If you use the :doc:`form helper <../helpers/form_helper>` the -form_open() function will automatically insert a hidden csrf field in -your forms. +If you use the :doc:`form helper <../helpers/form_helper>`, then +``form_open()`` will automatically insert a hidden csrf field in +your forms. If not, then you can use ``csrf_get_token_name()`` +and ``csrf_get_hash()`` -Tokens may be either regenerated on every submission (default) or kept the same throughout the life of the CSRF cookie. The default regeneration of tokens provides stricter security but may result in usability concerns as other tokens become invalid (back/forward navigation, multiple tabs/windows, asynchronous actions, etc). You may alter this behavior by editing the following config parameter:: +:: + + $csrf = array( + 'name' => $this->security->csrf_get_token_name(), + 'hash' => $this->security->csrf_get_hash() + ); + + ... + + + +Tokens may be either regenerated on every submission (default) or +kept the same throughout the life of the CSRF cookie. The default +regeneration of tokens provides stricter security, but may result +in usability concerns as other tokens become invalid (back/forward +navigation, multiple tabs/windows, asynchronous actions, etc). You +may alter this behavior by editing the following config parameter + +:: $config['csrf_regeneration'] = TRUE; @@ -95,3 +114,15 @@ by editing the 'csrf_exclude_uris' config parameter:: $config['csrf_exclude_uris'] = array('api/person/add'); +$this->security->get_csrf_token_name() +====================================== + +Returns the CSRF token name, which is set by +``$config['csrf_token_name']``. + +$this->security->get_csrf_hash() +================================ + +Returns the CSRF hash value. Useful in combination with +``get_csrf_token_name()`` for manually building forms or +sending valid AJAX POST requests. \ No newline at end of file -- cgit v1.2.3-24-g4f1b From 9d0ab04e1e39bc93c59f60844dd2cf9176443028 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 24 Oct 2012 21:47:39 +0300 Subject: Fix #191 --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'user_guide_src/source') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 92f6a03ef..ca46e9db1 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -377,6 +377,7 @@ Bug fixes for 3.0 - Fixed a bug (#1766) - :doc:`Query Builder ` didn't always take into account the *dbprefix* setting. - Fixed a bug (#779) - :doc:`URI Class ` didn't always trim slashes from the *uri_string* as shown in the documentation. - Fixed a bug (#134) - :doc:`Database Caching ` method ``delete_cache()`` didn't work in some cases due to *cachedir* not being initialized properly. +- Fixed a bug (#191) - :doc:`Loader Library ` ignored attempts for (re)loading databases to ``get_instance()->db`` even when the old database connection is dead. Version 2.1.3 ============= -- cgit v1.2.3-24-g4f1b From a0836b9293a50905651e1a2ed624f3e331be765f Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 24 Oct 2012 22:03:42 +0300 Subject: Fix #1255 --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'user_guide_src/source') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index ca46e9db1..afe2a6862 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -378,6 +378,7 @@ Bug fixes for 3.0 - Fixed a bug (#779) - :doc:`URI Class ` didn't always trim slashes from the *uri_string* as shown in the documentation. - Fixed a bug (#134) - :doc:`Database Caching ` method ``delete_cache()`` didn't work in some cases due to *cachedir* not being initialized properly. - Fixed a bug (#191) - :doc:`Loader Library ` ignored attempts for (re)loading databases to ``get_instance()->db`` even when the old database connection is dead. +- Fixed a bug (#1255) - :doc:`User Agent Library ` method ``is_referral()`` only checked if ``$_SERVER['HTTP_REFERER']`` exists. Version 2.1.3 ============= -- cgit v1.2.3-24-g4f1b From d87f6bf028e4ab5cd787c8915ea39c3946e338ae Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 24 Oct 2012 22:12:53 +0300 Subject: Fix #1146 --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'user_guide_src/source') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index afe2a6862..8576dbf19 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -379,6 +379,7 @@ Bug fixes for 3.0 - Fixed a bug (#134) - :doc:`Database Caching ` method ``delete_cache()`` didn't work in some cases due to *cachedir* not being initialized properly. - Fixed a bug (#191) - :doc:`Loader Library ` ignored attempts for (re)loading databases to ``get_instance()->db`` even when the old database connection is dead. - Fixed a bug (#1255) - :doc:`User Agent Library ` method ``is_referral()`` only checked if ``$_SERVER['HTTP_REFERER']`` exists. +- Fixed a bug (#1146) - :doc:`Download Helper ` function ``force_download()`` incorrectly sent *Cache-Control* directives *pre-check* and *post-check* to Internet Explorer. Version 2.1.3 ============= -- cgit v1.2.3-24-g4f1b From 04c50f50ad1f522f9521197f9ee7059da52168e0 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 24 Oct 2012 23:05:25 +0300 Subject: [ci skip] Document Query Builder method replace() (fix #1651) --- user_guide_src/source/database/query_builder.rst | 31 +++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) (limited to 'user_guide_src/source') diff --git a/user_guide_src/source/database/query_builder.rst b/user_guide_src/source/database/query_builder.rst index 6ca72914f..5380d0998 100644 --- a/user_guide_src/source/database/query_builder.rst +++ b/user_guide_src/source/database/query_builder.rst @@ -681,6 +681,35 @@ associative array of values. .. note:: All values are escaped automatically producing safer queries. +$this->db->replace() +==================== + +This method executes a REPLACE statement, which is basically the SQL +standard for (optional) DELETE + INSERT, using *PRIMARY* and *UNIQUE* +keys as the determining factor. +In our case, it will save you from the need to implement complex +logics with different combinations of ``select()``, ``update()``, +``delete()`` and ``insert()`` calls. + +Example:: + + $data = array( + 'title' => 'My title', + 'name' => 'My Name', + 'date' => 'My date' + ); + + $this->db->replace('table', $data); + + // Executes: REPLACE INTO mytable (title, name, date) VALUES ('My title', 'My name', 'My date') + +In the above example, if we assume that the *title* field is our primary +key, then if a row containing 'My title' as the *title* value, that row +will be deleted with our new row data replacing it. + +Usage of the ``set()`` method is also allowed and all fields are +automatically escaped, just like with ``insert()``. + $this->db->set() ================ @@ -740,7 +769,6 @@ Or an object:: $this->db->set($object); $this->db->insert('mytable'); - ************* Updating Data ************* @@ -792,6 +820,7 @@ Or as an array:: You may also use the $this->db->set() function described above when performing updates. + $this->db->update_batch() ========================= -- cgit v1.2.3-24-g4f1b From 4a7cc768a836a12c4839e482715b3859e0c16d7d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 24 Oct 2012 23:52:05 +0300 Subject: Fix #1811 --- user_guide_src/source/changelog.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'user_guide_src/source') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 8576dbf19..d3cebc7cc 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -380,6 +380,7 @@ Bug fixes for 3.0 - Fixed a bug (#191) - :doc:`Loader Library ` ignored attempts for (re)loading databases to ``get_instance()->db`` even when the old database connection is dead. - Fixed a bug (#1255) - :doc:`User Agent Library ` method ``is_referral()`` only checked if ``$_SERVER['HTTP_REFERER']`` exists. - Fixed a bug (#1146) - :doc:`Download Helper ` function ``force_download()`` incorrectly sent *Cache-Control* directives *pre-check* and *post-check* to Internet Explorer. +- Fixed a bug (#1811) - :doc:`URI Library ` didn't properly cache segments for ``uri_to_assoc()`` and ``ruri_to_assoc()``. Version 2.1.3 ============= -- cgit v1.2.3-24-g4f1b