https://codeigniter4.github.io/CodeIgnit...e_448.html specifies that /tests/.htaccess received changes, but I don't see a .htaccess file in that directory (/vendor/codeigniter4/framework/tests/) even though there is one in the master branch of CI. https://github.com/codeigniter4/CodeIgni...ster/tests. Maybe this is a problem with the composer package?  I have `"codeigniter4/framework": "4.4.8",` in the require section.

On codeigniter.com 4.5 is the latest release but https://codeigniter.com/user_guide/insta...ading.html does not have upgrade notes to get from 4.4.5 to 4.4.6 to 4.4.7 to 4.4.8 to 4.5.0.

If i send POST with "Content-Type": "application/json"

I can get data $json = $request->getJSON();

Inside JSON i have id (int)

can i get via $this->request->getPost('id') ?

I am converting a CI3 webapp to CI4 we need to make sure that our code security strategy is rock solid. Please comment on what is wrong and what is missing.

Escaping outputs:

• Many of the built-in CodeIgniter 4 library functions automatically escape outputs. Examples of this are form_input(), form_password(), form_upload(), form_textarea(), form_dropdown(), form_multiselect(), form_checkbox() and form_radio(). anchor() also is automatically escaped, so no need to do anything with those.
  
• Output outside of this should always be wrapped in esc() and using the correct context as a 2nd parameter.
  
• If done correctly, we shouldn't experience problems of data being garbled.
  

• CodeIgniter has validation mechanisms that allow us to return errors to the user when invalid data is sent.
  
• We need to be validating textboxes and other form input for correct data, and required data.
  

• CodeIgniter4's Query Builder should be used when possible. This is because QueryBuilder has automatic escaping of queries and creates parameterized queries.
  
• Any time queries are not written using QueryBuilder or QueryBuilder->rawSql() is used, $this->db->escape() should be wrapped around variables being inserted into the database and $this->db->protect_identifiers() should be wrapped around variables representing table or column names.
  

• Encryption of all information which can be used to identify an individual including names, addresses, phone numbers, email and addresses.
  
• Passwords need to be encrypted, hashed and salted.
  
• Encryption of API keys used in API calls.
  

• CSRF is needed, but we need to do everything in such a way that it doesn't hinder APIs since those will be needed for third party integrations. If it's interfering, potentially using token authentication and APIKEYs in place of CSRF is warranted?
  
• General best practice, I'm told, is to store html and tags in the database as they are entered (i.e., not encoded). Filtering inputs practices though seems to frequently suggestion wrapping $_POST (getPost() in CI4) in htmlspecialchars() since getPost($foo, FILTER_SANITIZE_STRING) is deprecated. Those functions encode special characters though before they get sent to the model for storing in the database. So the big question is what does Filtering Inputs need to look like if we want at least some HTML to not be encoded?
  
• One option is simply stripping unwanted data. For example with phone numbers we may wrap that in a preg_replace() that filters anything that is not '(', ')', ' ', '-', '+','[0-9]' and maybe 'x' or '/' for indicating extension numbers. We only have certain kinds of data, so it seems reasonable to have a handful of functions in the security_helper to properly filter these kinds of values without mangling the text. It also makes sense to use the 2nd parameter of getGet() and getPost() where it doesn't mangle text since those are already written. In places we want some HTML tags to be allowed (such as descriptions and attribute text) perhaps using something like https://github.com/ezyang/htmlpurifier rather than strip_tags() would be a good approach.
  

When using an HTMX query, I create a 404 error from PageNotFoundException. At the same time, instead of an HTML response, I get JSON.
Is this how it's planned or am I doing something wrong?

After update from 4.4.7 to 4.5 i got erros when i POSST data via AJAX, and validate data with custom function like



public function validateRange (int $number): bool {
return ($number > 5 && $number < 10);
}

before it worked properly i got by POST variable number

["number "]=>
string(1) "7"


but now i got " Argument #1 ($number) must be of type int, string given"

How prevent it, instead converting all data before validation?
is bug of 4.5 version CI?

Or is it possible auto convert POST data to exact type of data?

Hi 
CURLRequest class, function sendRequest does not return curl_getinfo($ch). And he should. The question is whether it is possible to extend the CURLRequest class. If so, how?

We have released v4.5.0 with many enhancements!

v4.5.0 is a minor upgrade. It includes enhancements and bug fixes.
It requires PHP 8.1 or later.

Unfortunately, there are many breaking changes in v4.5.0,
However, many users will be unaffected by most of the breaking changes.
All of these changes provide more appropriate behavior.

But a few breaking changes break your apps, so please upgrade with caution.
Read ChangeLog and Upgrading Guide carefully.
At least, you must update public/index.php and spark file.

Also, many deprecated items have been removed. So if you have deprecated code in your apps,
they may be broken.

And some of the default Config values in the Config files have changed, but Config files are not updated automatically. 
It is recommended to update Config values.

This release contains over 30 enhancements. A few things I would like to highlight:
- CORS filter
- The spark optimize command for performance improvement on production environment
- New property Model::$updateOnlyChanged to avoid “There is no data to update” error
- The spark lang:find command to update translations keys

You can see the list of enhancements in https://codeigniter4.github.io/userguide...0.html#id9

ChangeLog: https://codeigniter4.github.io/userguide...4.5.0.html
Upgrading Guide: https://codeigniter4.github.io/userguide...e_450.html

Note: Unfortunately now the User Guide on the official site is not yet updated due to the deployment trouble.

We have released v4.4.8 bug fix.

This would be the last version of 4.4.x and the last version to support PHP 7.4.

If you still use PHP 7.4 that is not supported by the PHP Group, we strongly recommend to upgrade to PHP 8.1 or later immediately.

Very soon we will release v4.5.0, which requires PHP 8.1 or later.

This release has one breaking change. Most users will not be affected, but please check the changelog.

ChangeLog: https://codeigniter4.github.io/userguide...4.4.8.html
Upgrading Guide: https://codeigniter4.github.io/userguide...e_448.html

Note: Unfortunately now the User Guide on the official site is not yet updated due to the deployment trouble.

Hello,
I've noticed there are two different sources for downloading CodeIgniter 4.x.
The first source is the official website: https://codeigniter.com/download. Here, the current version is listed as 4.4.7. However, if you download from this link, the CI_VERSION is set to '4.4.6'.
The second source is GitHub: https://github.com/codeigniter4/CodeIgni...tag/v4.4.7. If you download from here, you'll get the latest version, 4.4.7, but it includes additional files such as 'psalm-baseline.xml'.
Which source should I use for the download?
Thanks.