blob: ab92a94ba1a9b8dd34d9c197f9c1d4375eb07974 [file] [log] [blame]
Derek Allard2067d1a2008-11-13 22:59:24 +00001<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
3<head>
4
5<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
6<title>Security : CodeIgniter User Guide</title>
7
8<style type='text/css' media='all'>@import url('../userguide.css');</style>
9<link rel='stylesheet' type='text/css' media='all' href='../userguide.css' />
10
11<script type="text/javascript" src="../nav/nav.js"></script>
12<script type="text/javascript" src="../nav/prototype.lite.js"></script>
13<script type="text/javascript" src="../nav/moo.fx.js"></script>
14<script type="text/javascript" src="../nav/user_guide_menu.js"></script>
15
16<meta http-equiv='expires' content='-1' />
17<meta http-equiv= 'pragma' content='no-cache' />
18<meta name='robots' content='all' />
19<meta name='author' content='ExpressionEngine Dev Team' />
20<meta name='description' content='CodeIgniter User Guide' />
21
22</head>
23<body>
24
25<!-- START NAVIGATION -->
26<div id="nav"><div id="nav_inner"><script type="text/javascript">create_menu('../');</script></div></div>
27<div id="nav2"><a name="top"></a><a href="javascript:void(0);" onclick="myHeight.toggle();"><img src="../images/nav_toggle_darker.jpg" width="154" height="43" border="0" title="Toggle Table of Contents" alt="Toggle Table of Contents" /></a></div>
28<div id="masthead">
29<table cellpadding="0" cellspacing="0" border="0" style="width:100%">
30<tr>
Pascal Kriete1f622292011-04-07 12:06:51 -040031<td><h1>CodeIgniter User Guide Version 2.0.2</h1></td>
Derek Allard2067d1a2008-11-13 22:59:24 +000032<td id="breadcrumb_right"><a href="../toc.html">Table of Contents Page</a></td>
33</tr>
34</table>
35</div>
36<!-- END NAVIGATION -->
37
38
39<!-- START BREADCRUMB -->
40<table cellpadding="0" cellspacing="0" border="0" style="width:100%">
41<tr>
42<td id="breadcrumb">
43<a href="http://codeigniter.com/">CodeIgniter Home</a> &nbsp;&#8250;&nbsp;
44<a href="../index.html">User Guide Home</a> &nbsp;&#8250;&nbsp;
45Security
46</td>
47<td id="searchbox"><form method="get" action="http://www.google.com/search"><input type="hidden" name="as_sitesearch" id="as_sitesearch" value="codeigniter.com/user_guide/" />Search User Guide&nbsp; <input type="text" class="input" style="width:200px;" name="q" id="q" size="31" maxlength="255" value="" />&nbsp;<input type="submit" class="submit" name="sa" value="Go" /></form></td>
48</tr>
49</table>
50<!-- END BREADCRUMB -->
51
52<br clear="all" />
53
54
55<!-- START CONTENT -->
56<div id="content">
57
58<h1>Security</h1>
59
60<p>This page describes some "best practices" regarding web security, and details
61CodeIgniter's internal security features.</p>
62
63
64<h2>URI Security</h2>
65
66<p>CodeIgniter is fairly restrictive regarding which characters it allows in your URI strings in order to help
67minimize the possibility that malicious data can be passed to your application. URIs may only contain the following:
68</p>
69
70<ul>
71<li>Alpha-numeric text</li>
72<li>Tilde: ~ </li>
73<li>Period: .</li>
74<li>Colon: :</li>
75<li>Underscore: _</li>
76<li>Dash: -</li>
77</ul>
78
79<h2>GET, POST, and COOKIE Data</h2>
80
81<p>GET data is simply disallowed by CodeIgniter since the system utilizes URI segments rather than traditional URL query strings (unless
82you have the query string option enabled in your config file). The global GET
83array is <strong>unset</strong> by the Input class during system initialization.</p>
84
85<h2>Register_globals</h2>
86
87<p>During system initialization all global variables are unset, except those found in the $_POST and $_COOKIE arrays. The unsetting
88routine is effectively the same as register_globals = off.</p>
89
katzgraue8f58902011-03-10 10:24:29 -050090<a name="error_reporting"></a>
91<h2>error_reporting</h2>
92
93<p>
94 In production environments, it is typically desirable to disable PHP's
95 error reporting by setting the internal error_reporting flag to a value of 0. This disables native PHP
96 errors from being rendered as output, which may potentially contain
97 sensitive information.
98</p>
99
100<p>
101 Setting CodeIgniter's <kbd>ENVIRONMENT</kbd> constant in index.php to a
102 value of '<kbd>production</kbd>' will turn off these errors. In development
103 mode, it is recommended that a value of '<kbd>development</kbd>' is used.
104 More information about differentiating between environments can be found
105 on the <a href="environments.html">Handling Environments</a> page.
106</p>
Derek Allard2067d1a2008-11-13 22:59:24 +0000107
108<h2>magic_quotes_runtime</h2>
109
110<p>The magic_quotes_runtime directive is turned off during system initialization so that you don't have to remove slashes when
111retrieving data from your database.</p>
112
113<h1>Best Practices</h1>
114
115<p>Before accepting any data into your application, whether it be POST data from a form submission, COOKIE data, URI data,
116XML-RPC data, or even data from the SERVER array, you are encouraged to practice this three step approach:</p>
117
118<ol>
119<li>Filter the data as if it were tainted.</li>
120<li>Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)</li>
121<li>Escape the data before submitting it into your database.</li>
122</ol>
123
124<p>CodeIgniter provides the following functions to assist in this process:</p>
125
126<ul>
127
128<li><h2>XSS Filtering</h2>
129
130<p>CodeIgniter comes with a Cross Site Scripting filter. This filter looks for commonly
131used techniques to embed malicious Javascript into your data, or other types of code that attempt to hijack cookies
Derek Jones9898b892010-03-10 14:04:17 -0600132or do other malicious things. The XSS Filter is described <a href="../libraries/security.html">here</a>.
Derek Allard2067d1a2008-11-13 22:59:24 +0000133</p>
134</li>
135
136<li><h2>Validate the data</h2>
137
138<p>CodeIgniter has a <a href="../libraries/form_validation.html">Form Validation Class</a> that assists you in validating, filtering, and prepping
139your data.</p>
140</li>
141
142<li><h2>Escape all data before database insertion</h2>
143
144<p>Never insert information into your database without escaping it. Please see the section that discusses
145<a href="../database/queries.html">queries</a> for more information.</p>
146
147</li>
148
149</ul>
150
151
152
153
154</div>
155<!-- END CONTENT -->
156
157
158<div id="footer">
159<p>
160Previous Topic:&nbsp;&nbsp;<a href="alternative_php.html">Alternative PHP</a>
161&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
162<a href="#top">Top of Page</a>&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
163<a href="../index.html">User Guide Home</a>&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
164Next Topic:&nbsp;&nbsp;<a href="styleguide.html">PHP Style Guide</a>
165</p>
Derek Jones898949f2011-01-28 07:42:16 -0600166<p><a href="http://codeigniter.com">CodeIgniter</a> &nbsp;&middot;&nbsp; Copyright &#169; 2006 - 2011 &nbsp;&middot;&nbsp; <a href="http://ellislab.com/">EllisLab, Inc.</a></p>
Derek Allard2067d1a2008-11-13 22:59:24 +0000167</div>
168
169</body>
adminb0dd10f2006-08-25 17:25:49 +0000170</html>