官术网_书友最值得收藏!

Security considerations

Whatever you are programming, your two main priorities are security and maintainability; this is to say that your application should be as secure as is necessary and should be written in such a way that someone else can easily program and extend on what you're doing. I can't discuss maintainability—that's up to you—but I can give you guidance on CodeIgniter and security.

However, I should say that no security is 100 percent foolproof. Even banks and security agencies that spend hundreds of millions on systems still get hacked, so what chance do we have? Well, the best we can do is try to reduce the opportunity that someone might do something that could compromise our code or database.

Moving the system folder

You should move your system folder out of your web root. This is to make it as hard as possible for anything other than the web server to access. Take a look at the line in the main index.php file:

$system_path = 'system';

Make sure that you amend the preceding line to this:

$system_path = '../system';

So, if we moved the system folder out of the web root one level higher, we would use the../ convention, prepending it to system.

Error messages

Obviously you don't want to actually display error messages to the outside world. Over time, everyone will gain an understanding of the architecture of your site and where its weaknesses are, especially if you allow SQL errors to be displayed in a production environment.

For this reason, you should change the environment variable in the main index.php file from development to production. This will suppress the reporting errors; 404 and 500 errors will still be caught and displayed normally but SQL errors and other similar errors will be suppressed.

For this, look at the following code in the index.php file:

define('ENVIRONMENT', 'development');
/*
 *---------------------------------------------------------------
 * ERROR REPORTING
 *---------------------------------------------------------------
 *
 * Different environments will require different levels of error reporting.
 * By default development will show errors but testing and live will hide them.
 */

if (defined('ENVIRONMENT'))
{
  switch (ENVIRONMENT)
  {
    case 'development':
      error_reporting(E_ALL);
    break;

    case 'testing':
    case 'production':
      error_reporting(0);
    break;

    default:
      exit('The application environment is not set correctly.');
  }
}

Look at the line in bold (the first line). This line has set CodeIgniter to run in development mode; to change to anything else (specifically, a live mode), change the line in bold to the following:

define('ENVIRONMENT', 'production');

All errors will now be suppressed.

Query binding

Query binding is a good idea; it makes your queries easier to read; queries that use the CodeIgniter binding are automatically escaped, leading to more secure queries. The syntax is simple; for example, consider the following query:

$query = "SELECT * FROM `users` WHERE user_email = ? AND user_level = ?";

Look at the end of the query; you can see that we use a question mark where we would normally use a variable; this is something that would normally look like this:

$query = "SELECT * FROM `users` WHERE user_email = $user_email AND user_level = $user_level";

How does CodeIgniter know what the question mark means, and how does CodeIgniter put the correct value in the query? Take a look at this second line:

$this->db->query($query, array($user_email, $user_level));

This is how it matches the value to the correct question mark. We use the $this->db->query()CodeIgniter function, passing to it two arguments. The first is the $query variable (containing the actual query), and the second is an array. Each position in the array matches the position of the question marks in the SQL string.

主站蜘蛛池模板: 绵阳市| 甘洛县| 汾西县| 泸定县| 内丘县| 丰镇市| 渭南市| 普兰县| 双桥区| 札达县| 百色市| 澄迈县| 清流县| 西青区| 马龙县| 伊川县| 邢台县| 尼木县| 济源市| 文安县| 江城| 镇沅| 安图县| 封丘县| 易门县| 铜鼓县| 达日县| 巨野县| 兴文县| 抚顺县| 饶平县| 松潘县| 大姚县| 勃利县| 河南省| 汝城县| 五原县| 海林市| 莲花县| 利辛县| 襄城县|