1 <!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2 <html xmlns=
"http://www.w3.org/1999/xhtml" xml:
lang=
"en" lang=
"en">
5 <meta http-equiv=
"Content-Type" content=
"text/html; charset=utf-8" />
6 <title>Security : CodeIgniter User Guide
</title>
8 <style type='text/css' media='all'
>@import url('../userguide.css');
</style>
9 <link rel='stylesheet' type='text/css' media='all' href='../userguide.css'
/>
11 <script type=
"text/javascript" src=
"../nav/nav.js"></script>
12 <script type=
"text/javascript" src=
"../nav/prototype.lite.js"></script>
13 <script type=
"text/javascript" src=
"../nav/moo.fx.js"></script>
14 <script type=
"text/javascript" src=
"../nav/user_guide_menu.js"></script>
16 <meta http-equiv='expires' content='-
1'
/>
17 <meta http-equiv= 'pragma' content='no-cache'
/>
18 <meta name='robots' content='all'
/>
19 <meta name='author' content='ExpressionEngine Dev Team'
/>
20 <meta name='description' content='CodeIgniter User Guide'
/>
25 <!-- START NAVIGATION -->
26 <div id=
"nav"><div id=
"nav_inner"><script type=
"text/javascript">create_menu('../');
</script></div></div>
27 <div id=
"nav2"><a name=
"top"></a><a href=
"javascript:void(0);" onclick=
"myHeight.toggle();"><img src=
"../images/nav_toggle_darker.jpg" width=
"154" height=
"43" border=
"0" title=
"Toggle Table of Contents" alt=
"Toggle Table of Contents" /></a></div>
29 <table cellpadding=
"0" cellspacing=
"0" border=
"0" style=
"width:100%">
31 <td><h1>CodeIgniter User Guide Version
2.1.3</h1></td>
32 <td id=
"breadcrumb_right"><a href=
"../toc.html">Table of Contents Page
</a></td>
36 <!-- END NAVIGATION -->
39 <!-- START BREADCRUMB -->
40 <table cellpadding=
"0" cellspacing=
"0" border=
"0" style=
"width:100%">
43 <a href=
"http://codeigniter.com/">CodeIgniter Home
</a> ›
44 <a href=
"../index.html">User Guide Home
</a> ›
47 <td id=
"searchbox"><form method=
"get" action=
"http://www.google.com/search"><input type=
"hidden" name=
"as_sitesearch" id=
"as_sitesearch" value=
"codeigniter.com/user_guide/" />Search User Guide
<input type=
"text" class=
"input" style=
"width:200px;" name=
"q" id=
"q" size=
"31" maxlength=
"255" value=
"" /> <input type=
"submit" class=
"submit" name=
"sa" value=
"Go" /></form></td>
50 <!-- END BREADCRUMB -->
55 <!-- START CONTENT -->
60 <p>This page describes some "best practices" regarding web security, and details
61 CodeIgniter's internal security features.
</p>
66 <p>CodeIgniter is fairly restrictive regarding which characters it allows in your URI strings in order to help
67 minimize the possibility that malicious data can be passed to your application. URIs may only contain the following:
71 <li>Alpha-numeric text
</li>
75 <li>Underscore: _
</li>
79 <h2>Register_globals
</h2>
81 <p>During system initialization all global variables are unset, except those found in the $_GET, $_POST, and $_COOKIE arrays. The unsetting
82 routine is effectively the same as register_globals = off.
</p>
84 <a name=
"error_reporting"></a>
85 <h2>error_reporting
</h2>
88 In production environments, it is typically desirable to disable PHP's
89 error reporting by setting the internal error_reporting flag to a value of
0. This disables native PHP
90 errors from being rendered as output, which may potentially contain
91 sensitive information.
95 Setting CodeIgniter's
<kbd>ENVIRONMENT
</kbd> constant in index.php to a
96 value of '
<kbd>production
</kbd>' will turn off these errors. In development
97 mode, it is recommended that a value of '
<kbd>development
</kbd>' is used.
98 More information about differentiating between environments can be found
99 on the
<a href=
"environments.html">Handling Environments
</a> page.
102 <h2>magic_quotes_runtime
</h2>
104 <p>The magic_quotes_runtime directive is turned off during system initialization so that you don't have to remove slashes when
105 retrieving data from your database.
</p>
107 <h1>Best Practices
</h1>
109 <p>Before accepting any data into your application, whether it be POST data from a form submission, COOKIE data, URI data,
110 XML-RPC data, or even data from the SERVER array, you are encouraged to practice this three step approach:
</p>
113 <li>Filter the data as if it were tainted.
</li>
114 <li>Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)
</li>
115 <li>Escape the data before submitting it into your database.
</li>
118 <p>CodeIgniter provides the following functions to assist in this process:
</p>
122 <li><h2>XSS Filtering
</h2>
124 <p>CodeIgniter comes with a Cross Site Scripting filter. This filter looks for commonly
125 used techniques to embed malicious Javascript into your data, or other types of code that attempt to hijack cookies
126 or do other malicious things. The XSS Filter is described
<a href=
"../libraries/security.html">here
</a>.
130 <li><h2>Validate the data
</h2>
132 <p>CodeIgniter has a
<a href=
"../libraries/form_validation.html">Form Validation Class
</a> that assists you in validating, filtering, and prepping
136 <li><h2>Escape all data before database insertion
</h2>
138 <p>Never insert information into your database without escaping it. Please see the section that discusses
139 <a href=
"../database/queries.html">queries
</a> for more information.
</p>
154 Previous Topic:
<a href=
"alternative_php.html">Alternative PHP
</a>
155 ·
156 <a href=
"#top">Top of Page
</a> ·
157 <a href=
"../index.html">User Guide Home
</a> ·
158 Next Topic:
<a href=
"styleguide.html">PHP Style Guide
</a>
160 <p><a href=
"http://codeigniter.com">CodeIgniter
</a> · Copyright
© 2006 -
2012 · <a href=
"http://ellislab.com/">EllisLab, Inc.
</a></p>