| Derek Jones | 8ede1a2 | 2011-10-05 13:34:52 -0500 | [diff] [blame] | 1 | ######## |
| 2 | Security |
| 3 | ######## |
| 4 | |
| 5 | This page describes some "best practices" regarding web security, and |
| 6 | details CodeIgniter's internal security features. |
| 7 | |
| 8 | URI Security |
| 9 | ============ |
| 10 | |
| 11 | CodeIgniter is fairly restrictive regarding which characters it allows |
| 12 | in your URI strings in order to help minimize the possibility that |
| 13 | malicious data can be passed to your application. URIs may only contain |
| 14 | the following: |
| 15 | |
| 16 | - Alpha-numeric text |
| 17 | - Tilde: ~ |
| 18 | - Period: . |
| 19 | - Colon: : |
| 20 | - Underscore: \_ |
| 21 | - Dash: - |
| 22 | |
| 23 | Register_globals |
| 24 | ================= |
| 25 | |
| 26 | During system initialization all global variables are unset, except |
| 27 | those found in the $_GET, $_POST, and $_COOKIE arrays. The unsetting |
| 28 | routine is effectively the same as register_globals = off. |
| 29 | |
| 30 | error_reporting |
| 31 | ================ |
| 32 | |
| 33 | In production environments, it is typically desirable to disable PHP's |
| 34 | error reporting by setting the internal error_reporting flag to a value |
| 35 | of 0. This disables native PHP errors from being rendered as output, |
| 36 | which may potentially contain sensitive information. |
| 37 | |
| 38 | Setting CodeIgniter's ENVIRONMENT constant in index.php to a value of |
| 39 | 'production' will turn off these errors. In development mode, it is |
| 40 | recommended that a value of 'development' is used. More information |
| 41 | about differentiating between environments can be found on the :doc:`Handling |
| 42 | Environments <environments>` page. |
| 43 | |
| 44 | magic_quotes_runtime |
| 45 | ====================== |
| 46 | |
| 47 | The magic_quotes_runtime directive is turned off during system |
| 48 | initialization so that you don't have to remove slashes when retrieving |
| 49 | data from your database. |
| 50 | |
| 51 | ************** |
| 52 | Best Practices |
| 53 | ************** |
| 54 | |
| 55 | Before accepting any data into your application, whether it be POST data |
| 56 | from a form submission, COOKIE data, URI data, XML-RPC data, or even |
| 57 | data from the SERVER array, you are encouraged to practice this three |
| 58 | step approach: |
| 59 | |
| 60 | #. Filter the data as if it were tainted. |
| 61 | #. Validate the data to ensure it conforms to the correct type, length, |
| 62 | size, etc. (sometimes this step can replace step one) |
| 63 | #. Escape the data before submitting it into your database. |
| 64 | |
| 65 | CodeIgniter provides the following functions to assist in this process: |
| 66 | |
| 67 | XSS Filtering |
| 68 | ============= |
| 69 | |
| 70 | CodeIgniter comes with a Cross Site Scripting filter. This filter |
| 71 | looks for commonly used techniques to embed malicious Javascript into |
| 72 | your data, or other types of code that attempt to hijack cookies or |
| 73 | do other malicious things. The XSS Filter is described |
| 74 | :doc:`here <../libraries/security>`. |
| 75 | |
| 76 | Validate the data |
| 77 | ================= |
| 78 | |
| 79 | CodeIgniter has a :doc:`Form Validation |
| 80 | Class <../libraries/form_validation>` that assists you in |
| 81 | validating, filtering, and prepping your data. |
| 82 | |
| 83 | Escape all data before database insertion |
| 84 | ========================================= |
| 85 | |
| 86 | Never insert information into your database without escaping it. |
| 87 | Please see the section that discusses |
| 88 | :doc:`queries <../database/queries>` for more information. |
| 89 | |
| 90 | |