Security questions |
[eluser]obobo[/eluser]
I'm just wrapping up my first project using CI, and have a couple of security related questions ... include() In a couple of situations I've used php's include() rather than $this->load>view() to create nested views. Does this have any security implications? QUERY STRINGS In order to get a scriptaculous ajax script to work I needed to use query strings for one url rather than POST - which means i've had to enable query strings in the config file. I have read in several places that one of the security features of CI is that it only uses POST. Should i be worried about enabling query strings? any insights appreciated.
[eluser]Seppo[/eluser]
[quote author="obobo" date="1208114112"] include() In a couple of situations I've used php's include() rather than $this->load>view() to create nested views. Does this have any security implications? [/quote] I don't think it has security implications, although it's bad practice. [quote author="obobo" date="1208114112"]QUERY STRINGS In order to get a scriptaculous ajax script to work I needed to use query strings for one url rather than POST - which means i've had to enable query strings in the config file. I have read in several places that one of the security features of CI is that it only uses POST. Should i be worried about enabling query strings?[/quote] Enabling query strings probably breaks all the controller/method urls... Instead you have to use get parameters (default are "c" for controller and "m" for methods). Take a look here (at the bottom) to see the implications.
[eluser]xwero[/eluser]
Enabling query strings doesn't break path_info urls. If you do enable query string you best set the uri_protocol to PATH_INFO because the AUTO setting removes the first key-value pair if there is only one pair. For security if you have query strings enabled you have to validate the get variables.
[eluser]Seppo[/eluser]
[quote author="xwero" date="1208115358"]Enabling query strings doesn't break path_info urls. If you do enable query string you best set the uri_protocol to PATH_INFO because the AUTO setting removes the first key-value pair if there is only one pair.[/quote]Cool. I didn't know that.
[eluser]xwero[/eluser]
I found it out after made a core patch to work with the query strings I though the same thing like you because of the user guide so they should be more clear.
[eluser]obobo[/eluser]
Thanks for the replies. Quote:Enabling query strings doesn’t break path_info urls.Yeah ... i'm using the controller/method style urls for everything else on my site except that one scriptaculous ajax script which for some reason doesn't work if i send it anything except a query string (which is strange because everything else in scriptaculous works with POST) Quote:I don’t think it has security implications, although it’s bad practice.Why is using include() considered bad practice? Should i be trying harder to get the nested views to work without include()? (I was having problems getting variables to pass from one view to another) thanks again.
[eluser]xwero[/eluser]
If you have nested views it's better you extend the controller to add the base layout or you use a template library or even a modular library.
[eluser]obobo[/eluser]
xwero ... can you elaborate a bit on what you mean by 'extend the controller to add the base layout'? |
Welcome Guest, Not a member yet? Register Sign In |