This page describes some "best practices" regarding web security, and details revIgniter's internal security features.
revIgniter is fairly restrictive regarding which characters it allows in your URI strings in order to help minimize the possibility that malicious data can be passed to your application. URIs may only contain the following:
- Alpha-numeric text
- Tilde: ~
- Period: .
- Colon: :
- Underscore: _
- Dash: -
GET data is simply disallowed by revIgniter since the system utilizes URI segments rather than traditional URL query strings (unless you have the query string option enabled in your config file). The global GET array is set to empty by the Input library during system initialization.
Before accepting any data into your application, whether it be POST data from a form submission, COOKIE data, URI data, XML-RPC data, or even data from the SERVER array, you are encouraged to practice this three step approach:
- Filter the data as if it were tainted.
- Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)
- Escape the data before submitting it into your database.
revIgniter provides the following handlers to assist in this process:
Enable revIgniter's cross-site request forgery (CSRF) protection if you are accepting user data. CSRF protection is described here.
revIgniter comes with a function to sanitize filenames from user input.
Validate the data
revIgniter has a Form Validation Library that assists you in validating, filtering, and prepping your data.
Escape all data before database insertion
Never insert information into your database without escaping it. Please see the section that discusses queries for more information.