Security questions

[eluser]obobo[/eluser]
I'm just wrapping up my first project using CI, and have a couple of security related questions ...

include()
In a couple of situations I've used php's include() rather than $this->load>view() to create nested views. Does this have any security implications?

QUERY STRINGS
In order to get a scriptaculous ajax script to work I needed to use query strings for one url rather than POST - which means i've had to enable query strings in the config file. I have read in several places that one of the security features of CI is that it only uses POST. Should i be worried about enabling query strings?

any insights appreciated.

[eluser]Seppo[/eluser]
[quote author="obobo" date="1208114112"]
include()
In a couple of situations I've used php's include() rather than $this->load>view() to create nested views. Does this have any security implications?
[/quote]

I don't think it has security implications, although it's bad practice.

[quote author="obobo" date="1208114112"]QUERY STRINGS
In order to get a scriptaculous ajax script to work I needed to use query strings for one url rather than POST - which means i've had to enable query strings in the config file. I have read in several places that one of the security features of CI is that it only uses POST. Should i be worried about enabling query strings?[/quote]

Enabling query strings probably breaks all the controller/method urls... Instead you have to use get parameters (default are "c" for controller and "m" for methods).
Take a look here (at the bottom) to see the implications.

[eluser]xwero[/eluser]
Enabling query strings doesn't break path_info urls. If you do enable query string you best set the uri_protocol to PATH_INFO because the AUTO setting removes the first key-value pair if there is only one pair.

For security if you have query strings enabled you have to validate the get variables.

[eluser]Seppo[/eluser]
[quote author="xwero" date="1208115358"]Enabling query strings doesn't break path_info urls. If you do enable query string you best set the uri_protocol to PATH_INFO because the AUTO setting removes the first key-value pair if there is only one pair.[/quote]Cool. I didn't know that.

[eluser]xwero[/eluser]
I found it out after made a core patch to work with the query strings I though the same thing like you because of the user guide so they should be more clear.

[eluser]obobo[/eluser]
Thanks for the replies.

Enabling query strings doesn’t break path_info urls.

Yeah ... i'm using the controller/method style urls for everything else on my site except that one scriptaculous ajax script which for some reason doesn't work if i send it anything except a query string (which is strange because everything else in scriptaculous works with POST)

I don’t think it has security implications, although it’s bad practice.

Why is using include() considered bad practice? Should i be trying harder to get the nested views to work without include()?
(I was having problems getting variables to pass from one view to another)

thanks again.

[eluser]xwero[/eluser]
If you have nested views it's better you extend the controller to add the base layout or you use a template library or even a modular library.

[eluser]obobo[/eluser]
xwero ... can you elaborate a bit on what you mean by 'extend the controller to add the base layout'?