官术网_书友最值得收藏!

Security considerations

Whatever you are programming, your two main priorities are security and maintainability; this is to say that your application should be as secure as is necessary and should be written in such a way that someone else can easily program and extend on what you're doing. I can't discuss maintainability—that's up to you—but I can give you guidance on CodeIgniter and security.

However, I should say that no security is 100 percent foolproof. Even banks and security agencies that spend hundreds of millions on systems still get hacked, so what chance do we have? Well, the best we can do is try to reduce the opportunity that someone might do something that could compromise our code or database.

Moving the system folder

You should move your system folder out of your web root. This is to make it as hard as possible for anything other than the web server to access. Take a look at the line in the main index.php file:

$system_path = 'system';

Make sure that you amend the preceding line to this:

$system_path = '../system';

So, if we moved the system folder out of the web root one level higher, we would use the../ convention, prepending it to system.

Error messages

Obviously you don't want to actually display error messages to the outside world. Over time, everyone will gain an understanding of the architecture of your site and where its weaknesses are, especially if you allow SQL errors to be displayed in a production environment.

For this reason, you should change the environment variable in the main index.php file from development to production. This will suppress the reporting errors; 404 and 500 errors will still be caught and displayed normally but SQL errors and other similar errors will be suppressed.

For this, look at the following code in the index.php file:

define('ENVIRONMENT', 'development');
/*
 *---------------------------------------------------------------
 * ERROR REPORTING
 *---------------------------------------------------------------
 *
 * Different environments will require different levels of error reporting.
 * By default development will show errors but testing and live will hide them.
 */

if (defined('ENVIRONMENT'))
{
  switch (ENVIRONMENT)
  {
    case 'development':
      error_reporting(E_ALL);
    break;

    case 'testing':
    case 'production':
      error_reporting(0);
    break;

    default:
      exit('The application environment is not set correctly.');
  }
}

Look at the line in bold (the first line). This line has set CodeIgniter to run in development mode; to change to anything else (specifically, a live mode), change the line in bold to the following:

define('ENVIRONMENT', 'production');

All errors will now be suppressed.

Query binding

Query binding is a good idea; it makes your queries easier to read; queries that use the CodeIgniter binding are automatically escaped, leading to more secure queries. The syntax is simple; for example, consider the following query:

$query = "SELECT * FROM `users` WHERE user_email = ? AND user_level = ?";

Look at the end of the query; you can see that we use a question mark where we would normally use a variable; this is something that would normally look like this:

$query = "SELECT * FROM `users` WHERE user_email = $user_email AND user_level = $user_level";

How does CodeIgniter know what the question mark means, and how does CodeIgniter put the correct value in the query? Take a look at this second line:

$this->db->query($query, array($user_email, $user_level));

This is how it matches the value to the correct question mark. We use the $this->db->query()CodeIgniter function, passing to it two arguments. The first is the $query variable (containing the actual query), and the second is an array. Each position in the array matches the position of the question marks in the SQL string.

主站蜘蛛池模板: 胶州市| 公安县| 滦南县| 大洼县| 元氏县| 屏边| 永济市| 色达县| 亳州市| 正定县| 德安县| 大埔区| 东台市| 苍梧县| 连山| 南岸区| 阳原县| 龙江县| 吉木萨尔县| 龙川县| 察雅县| 温州市| 姜堰市| 肥东县| 雷州市| 梧州市| 南昌县| 墨脱县| 团风县| 夏津县| 泗水县| 香河县| 若尔盖县| 昌江| 义马市| 江都市| 岳普湖县| 连州市| 贵德县| 麻江县| 富锦市|