blob: 24bfe1c46d4fd052077b94c869b3a588d9f0387b [file] [log] [blame]
adminb0dd10f2006-08-25 17:25:49 +00001<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2<html>
3<head>
4
Derek Allardd2df9bc2007-04-15 17:41:17 +00005<title>CodeIgniter User Guide</title>
adminb0dd10f2006-08-25 17:25:49 +00006
7<style type='text/css' media='all'>@import url('../userguide.css');</style>
8<link rel='stylesheet' type='text/css' media='all' href='../userguide.css' />
9
admin17a890d2006-09-27 20:42:42 +000010<script type="text/javascript" src="../nav/nav.js"></script>
admin2296fc32006-09-27 21:07:02 +000011<script type="text/javascript" src="../nav/prototype.lite.js"></script>
admin17a890d2006-09-27 20:42:42 +000012<script type="text/javascript" src="../nav/moo.fx.js"></script>
adminb0dd10f2006-08-25 17:25:49 +000013<script type="text/javascript">
14window.onload = function() {
admine334c472006-10-21 19:44:22 +000015 myHeight = new fx.Height('nav', {duration: 400});
adminb0dd10f2006-08-25 17:25:49 +000016 myHeight.hide();
17}
18</script>
19
20<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
21<meta http-equiv='expires' content='-1' />
22<meta http-equiv= 'pragma' content='no-cache' />
23<meta name='robots' content='all' />
24<meta name='author' content='Rick Ellis' />
Derek Allardd2df9bc2007-04-15 17:41:17 +000025<meta name='description' content='CodeIgniter User Guide' />
adminb0dd10f2006-08-25 17:25:49 +000026
27</head>
28<body>
29
30<!-- START NAVIGATION -->
31<div id="nav"><div id="nav_inner"><script type="text/javascript">create_menu('../');</script></div></div>
32<div id="nav2"><a name="top"></a><a href="javascript:void(0);" onclick="myHeight.toggle();"><img src="../images/nav_toggle.jpg" width="153" height="44" border="0" title="Toggle Table of Contents" alt="Toggle Table of Contents" /></a></div>
33<div id="masthead">
34<table cellpadding="0" cellspacing="0" border="0" style="width:100%">
35<tr>
Derek Allardd2df9bc2007-04-15 17:41:17 +000036<td><h1>CodeIgniter User Guide Version 1.5.3</h1></td>
adminc0d5d522006-10-30 19:40:35 +000037<td id="breadcrumb_right"><a href="../toc.html">Table of Contents Page</a></td>
adminb0dd10f2006-08-25 17:25:49 +000038</tr>
39</table>
40</div>
41<!-- END NAVIGATION -->
42
43
44<!-- START BREADCRUMB -->
45<table cellpadding="0" cellspacing="0" border="0" style="width:100%">
46<tr>
47<td id="breadcrumb">
Derek Allardd2df9bc2007-04-15 17:41:17 +000048<a href="http://www.codeigniter.com/">CodeIgniter Home</a> &nbsp;&#8250;&nbsp;
adminb0dd10f2006-08-25 17:25:49 +000049<a href="../index.html">User Guide Home</a> &nbsp;&#8250;&nbsp;
50Security
51</td>
Derek Allardbc030912007-06-24 18:25:29 +000052<td id="searchbox"><form method="get" action="http://www.google.com/search"><input type="hidden" name="as_sitesearch" id="as_sitesearch" value="codeigniter.com/user_guide/" />Search User Guide&nbsp; <input type="text" class="input" style="width:200px;" name="q" id="q" size="31" maxlength="255" value="" />&nbsp;<input type="submit" class="submit" name="sa" value="Go" /></form></td>
adminb0dd10f2006-08-25 17:25:49 +000053</tr>
54</table>
55<!-- END BREADCRUMB -->
56
57<br clear="all" />
58
59
60<!-- START CONTENT -->
61<div id="content">
62
63<h1>Security</h1>
64
65<p>This page describes some "best practices" regarding web security, and details
Derek Allardd2df9bc2007-04-15 17:41:17 +000066CodeIgniter's internal security features.</p>
adminb0dd10f2006-08-25 17:25:49 +000067
68
69<h2>URI Security</h2>
70
Derek Allardd2df9bc2007-04-15 17:41:17 +000071<p>CodeIgniter is fairly restrictive regarding which characters it allows in your URI strings in order to help
adminb0dd10f2006-08-25 17:25:49 +000072minimize the possibility that malicious data can be passed to your application. URIs may only contain the following:
73</p>
74
75<ul>
76<li>Alpha-numeric text</li>
77<li>Tilde: ~ </li>
78<li>Period: .</li>
79<li>Colon: :</li>
80<li>Underscore: _</li>
81<li>Dash: -</li>
82</ul>
83
84<h2>GET, POST, and COOKIE Data</h2>
85
Derek Allardd2df9bc2007-04-15 17:41:17 +000086<p>GET data is simply disallowed by CodeIgniter since the system utilizes URI segments rather than traditional URL query strings (unless
admine334c472006-10-21 19:44:22 +000087you have the query string option enabled in your config file). The global GET
adminb0dd10f2006-08-25 17:25:49 +000088array is <strong>unset</strong> by the Input class during system initialization.</p>
89
90<h2>Register_globals</h2>
91
92<p>During system initialization all global variables are unset, except those found in the $_POST and $_COOKIE arrays. The unsetting
93routine is effectively the same as register_globals = off.</p>
94
95
96<h2>magic_quotes_runtime</h2>
97
98<p>The magic_quotes_runtime directive is turned off during system initialization so that you don't have to remove slashes when
99retrieving data from your database.</p>
100
admin78ce3cc2006-10-02 02:58:03 +0000101<h1>Best Practices</h1>
adminb0dd10f2006-08-25 17:25:49 +0000102
admine334c472006-10-21 19:44:22 +0000103<p>Before accepting any data into your application, whether it be POST data from a form submission, COOKIE data, URI data,
adminb0dd10f2006-08-25 17:25:49 +0000104XML-RPC data, or even data from the SERVER array, you are encouraged to practice this three step approach:</p>
105
106<ol>
107
108<li>Filter the data as if it were tainted.</li>
109<li>Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)</li>
110<li>Escape the data before submitting it into your database.</li>
111</ol>
112
Derek Allardd2df9bc2007-04-15 17:41:17 +0000113CodeIgniter provides the following functions to assist in this process:</p>
adminb0dd10f2006-08-25 17:25:49 +0000114
115<ul>
116
117<li><h2>XSS Filtering</h2>
118
Derek Allardd2df9bc2007-04-15 17:41:17 +0000119<p>CodeIgniter comes with a Cross Site Scripting filter. This filter looks for commonly
adminb0dd10f2006-08-25 17:25:49 +0000120used techniques to embed malicious Javascript into your data, or other types of code that attempt to hijack cookies
admine334c472006-10-21 19:44:22 +0000121or do other malicious things. The XSS Filter is described <a href="../libraries/input.html">here</a>.
adminb0dd10f2006-08-25 17:25:49 +0000122</p>
123</li>
124
125<li><h2>Validate the data</h2>
126
Derek Allardd2df9bc2007-04-15 17:41:17 +0000127<p>CodeIgniter has a <a href="../libraries/validation.html">Validation Class</a> that assists you in validating, filtering, and prepping
adminb0dd10f2006-08-25 17:25:49 +0000128your data.</p>
129</li>
130
131<li><h2>Escape all data before database insertion</h2>
132
133<p>Never insert information into your database without escaping it. Please see the section that discusses
admin58083462006-09-24 17:58:27 +0000134<a href="../database/queries.html">queries</a> for more information.</p>
adminb0dd10f2006-08-25 17:25:49 +0000135
136</li>
137
138</ul>
139
140
141
142
143</div>
144<!-- END CONTENT -->
145
146
147<div id="footer">
148<p>
149Previous Topic:&nbsp;&nbsp;<a href="alternative_php.html">Alternative PHP</a>
150&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
151<a href="#top">Top of Page</a>&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
152<a href="../index.html">User Guide Home</a>&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
153Next Topic:&nbsp;&nbsp;<a href="../libraries/benchmark.html">Benchmarking Class</a>
Derek Allardc6441282007-07-04 23:54:32 +0000154</p>
Derek Allardd2df9bc2007-04-15 17:41:17 +0000155<p><a href="http://www.codeigniter.com">CodeIgniter</a> &nbsp;&middot;&nbsp; Copyright &#169; 2007 &nbsp;&middot;&nbsp; <a href="http://ellislab.com/">Ellislab, Inc.</a></p>
adminb0dd10f2006-08-25 17:25:49 +0000156</div>
157
158</body>
159</html>