From ff773c059cb984920767dd6187c30a77e5bf78c9 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Wed, 14 Dec 2016 13:45:45 +0200
Subject: Finally drop CI_Input::_sanitize_globals()

Close #4101
---
 user_guide_src/source/installation/upgrade_320.rst | 18 ++++++++++++++
 user_guide_src/source/libraries/input.rst          | 28 ++++------------------
 2 files changed, 23 insertions(+), 23 deletions(-)

(limited to 'user_guide_src')

diff --git a/user_guide_src/source/installation/upgrade_320.rst b/user_guide_src/source/installation/upgrade_320.rst
index 6501f40db..8434172e7 100644
--- a/user_guide_src/source/installation/upgrade_320.rst
+++ b/user_guide_src/source/installation/upgrade_320.rst
@@ -159,3 +159,21 @@ CodeIgniter versions that have been removed in 3.2.0:
    - ``send_email()`` (use ``mail()`` instead)
 
 - The entire *Smiley Helper* (an archived version is available on GitHub: `bcit-ci/ci3-smiley-helper <https://github.com/bcit-ci/ci3-smiley-helper>`_)
+
+Step 8: Make sure you're validating all user inputs
+===================================================
+
+The :doc:`Input Library <../libraries/input>` used to (often
+unconditionally) filter and/or sanitize user input in the ``$_GET``,
+``$_POST`` and ``$_COOKIE`` superglobals.
+
+This was a legacy feature from older times, when things like
+`register_globals <https://secure.php.net/register_globals>`_ and
+`magic_quotes_gpc <https://secure.php.net/magic_quotes_gpc>`_ existed in
+PHP.
+It was a necessity back then, but this is no longer the case and reliance
+on global filters is a bad practice, giving you a false sense of security.
+
+This functionality is now removed, and so if you've relied on it for
+whatever reasons, you should double-check that you are properly validating
+all user inputs in your application (as you always should do).
diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst
index 1961e3e57..97460c2c5 100644
--- a/user_guide_src/source/libraries/input.rst
+++ b/user_guide_src/source/libraries/input.rst
@@ -2,10 +2,8 @@
 Input Class
 ###########
 
-The Input Class serves two purposes:
-
-#. It pre-processes global input data for security.
-#. It provides some helper methods for fetching input data and pre-processing it.
+The Input Class provides some helper methods for accessing input data
+and pre-processing it.
 
 .. note:: This class is initialized automatically by the system so there
 	is no need to do it manually.
@@ -17,25 +15,9 @@ The Input Class serves two purposes:
 
   <div class="custom-index container"></div>
 
-***************
-Input Filtering
-***************
-
-Security Filtering
-==================
-
-The security filtering method is called automatically when a new
-:doc:`controller <../general/controllers>` is invoked. It does the
-following:
-
--  Destroys all global variables in the event register_globals is
-   turned on.
--  Filters the GET/POST/COOKIE array keys, permitting only alpha-numeric
-   (and a few other) characters.
-
-*******************
-Accessing form data
-*******************
+********************
+Accessing input data
+********************
 
 Using POST, GET, COOKIE, or SERVER Data
 =======================================
-- 
cgit v1.2.3-24-g4f1b