user_guide/general/security.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>Code Igniter User Guide</title>

<style type='text/css' media='all'>@import url('../userguide.css');</style>
<link rel='stylesheet' type='text/css' media='all' href='../userguide.css' />

<script type="text/javascript" src="../nav/nav.js"></script>
<script type="text/javascript" src="../nav/prototype.lite.js"></script>
<script type="text/javascript" src="../nav/moo.fx.js"></script>
<script type="text/javascript">
window.onload = function() {
	myHeight = new fx.Height('nav', {duration: 400});
	myHeight.hide();
}
</script>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv='expires' content='-1' />
<meta http-equiv= 'pragma' content='no-cache' />
<meta name='robots' content='all' />
<meta name='author' content='Rick Ellis' />
<meta name='description' content='Code Igniter User Guide' />

</head>
<body>

<!-- START NAVIGATION -->
<div id="nav"><div id="nav_inner"><script type="text/javascript">create_menu('../');</script></div></div>
<div id="nav2"><a name="top"></a><a href="javascript:void(0);" onclick="myHeight.toggle();"><img src="../images/nav_toggle.jpg" width="153" height="44" border="0" title="Toggle Table of Contents" alt="Toggle Table of Contents" /></a></div>
<div id="masthead">
<table cellpadding="0" cellspacing="0" border="0" style="width:100%">
<tr>
<td><h1>Code Igniter User Guide Version 1.5.1</h1></td>
<td id="breadcrumb_right"><a href="../toc.html">Table of Contents Page</a></td>
</tr>
</table>
</div>
<!-- END NAVIGATION -->


<!-- START BREADCRUMB -->
<table cellpadding="0" cellspacing="0" border="0" style="width:100%">
<tr>
<td id="breadcrumb">
<a href="http://www.codeigniter.com/">Code Igniter Home</a> &nbsp;&#8250;&nbsp;
<a href="../index.html">User Guide Home</a> &nbsp;&#8250;&nbsp;
Security
</td>
<td id="searchbox"><form method="get" action="http://www.google.com/search"><input type="hidden" name="as_sitesearch" id="as_sitesearch" value="www.codeigniter.com/user_guide/" />Search User Guide&nbsp; <input type="text" class="input" style="width:200px;" name="q" id="q" size="31" maxlength="255" value="" />&nbsp;<input type="submit" class="submit" name="sa" value="Go" /></form></td>
</tr>
</table>
<!-- END BREADCRUMB -->

<br clear="all" />


<!-- START CONTENT -->
<div id="content">

<h1>Security</h1>

<p>This page describes some "best practices" regarding web security, and details
Code Igniter's internal security features.</p>


<h2>URI Security</h2>

<p>Code Igniter is fairly restrictive regarding which characters it allows in your URI strings in order to help
minimize the possibility that malicious data can be passed to your application.  URIs may only contain the following:
</p>

<ul>
<li>Alpha-numeric text</li>
<li>Tilde: ~ </li>
<li>Period: .</li>
<li>Colon: :</li>
<li>Underscore: _</li>
<li>Dash: -</li>
</ul>

<h2>GET, POST, and COOKIE Data</h2>

<p>GET data is simply disallowed by Code Igniter since the system utilizes URI segments rather than traditional URL query strings (unless
you have the query string option enabled in your config file).  The global GET
array is <strong>unset</strong> by the Input class during system initialization.</p>

<h2>Register_globals</h2>

<p>During system initialization all global variables are unset, except those found in the $_POST and $_COOKIE arrays. The unsetting
routine is effectively the same as register_globals = off.</p>


<h2>magic_quotes_runtime</h2>

<p>The magic_quotes_runtime directive is turned off during system initialization so that you don't have to remove slashes when
retrieving data from your database.</p>

<h1>Best Practices</h1>

<p>Before accepting any data into your application, whether it be POST data from a form submission, COOKIE data, URI data,
XML-RPC data, or even data from the SERVER array, you are encouraged to practice this three step approach:</p>

<ol>

<li>Filter the data as if it were tainted.</li>
<li>Validate the data to ensure it conforms to the correct  type, length, size, etc. (sometimes this step can replace step one)</li>
<li>Escape the data before submitting it into your database.</li>
</ol>

Code Igniter provides the following functions to assist in this process:</p>

<ul>

<li><h2>XSS Filtering</h2>

<p>Code Igniter comes with a Cross Site Scripting filter.  This filter looks for commonly
used techniques to embed malicious Javascript into your data, or other types of code that attempt to hijack cookies
or do other malicious things. The XSS Filter is described <a href="../libraries/input.html">here</a>.
</p>
</li>

<li><h2>Validate the data</h2>

<p>Code Igniter has a <a href="../libraries/validation.html">Validation Class</a> that assists you in validating, filtering, and prepping
your data.</p>
</li>

<li><h2>Escape all data before database insertion</h2>

<p>Never insert information into your database without escaping it. Please see the section that discusses
<a href="../database/queries.html">queries</a> for more information.</p>

</li>

</ul>




</div>
<!-- END CONTENT -->


<div id="footer">
<p>
Previous Topic:&nbsp;&nbsp;<a href="alternative_php.html">Alternative PHP</a>
&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
<a href="#top">Top of Page</a>&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
<a href="../index.html">User Guide Home</a>&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
Next Topic:&nbsp;&nbsp;<a href="../libraries/benchmark.html">Benchmarking Class</a>
<p>
<p><a href="http://www.codeigniter.com">Code Igniter</a> &nbsp;&middot;&nbsp; Copyright &#169; 2006 &nbsp;&middot;&nbsp; <a href="http://www.pmachine.com">pMachine, Inc.</a></p>
</div>

</body>
</html>