Many functions now return NULL instead of FALSE on missing items.
Step
10: Many functions now return NULL instead of FALSE on
missing items
Many methods and functions now return NULL
instead of FALSE when the required items don’t exist:
o config_item()
o
config->item()
o
config->slash_item()
o
input->get()
o
input->post()
o
input->get_post()
o
input->cookie()
o
input->server()
o
input->input_stream()
o
input->get_request_header()
o
session->userdata()
o
session->flashdata()
o
uri->segment()
o
uri->rsegment()
o
element()
o
elements()
Step
11: Usage of XSS filtering
Many functions in CodeIgniter allow you to
use its XSS filtering feature on demand by passing a boolean parameter. The
default value of that parameter used to be boolean FALSE, but it is now changed
to NULL and it will be dynamically determined by
your $config['global_xss_filtering'] value.
If you used to manually pass a boolean
value for the $xss_filter parameter or if you’ve always
had $config['global_xss_filtering'] set to FALSE, then this change
doesn’t concern you.
Otherwise however, please review your usage
of the following functions:
o
input->get()
o
input->post()
o
input->get_post()
o
input->cookie()
o
input->server()
o
input->input_stream()
Important: Another related change is that
the $_GET, $_POST, $_COOKIE and $_SERVER superglobals are no longer automatically
overwritten when global XSS filtering is turned on.
Step
12: Check for potential XSS issues with URIs
The URI Library used to
automatically convert a certain set of “programmatic characters” to HTML
entities when they are encountered in a URI segment.
This was aimed at providing some automatic
XSS protection, in addition to
the $config['permitted_uri_chars'] setting, but has proven to be
problematic and is now removed in CodeIgniter 3.0.
If your application has relied on this
feature, you should update it to filter URI segments through $this->security->xss_clean() whenever you
output them.
Step
13: Check for usage of the ‘xss_clean’ Form validation rule
A largely unknown rule about XSS cleaning is that it should only be applied
to output, as opposed to input data.
We’ve made that mistake ourselves with our
automatic and global XSS cleaning feature (see previous step about XSS above),
so now in an effort to discourage that practice, we’re also removing ‘xss_clean’ from the officially supported list of form validation rules.
Because the Form Validation library generally validates input data,
the ‘xss_clean’ rule simply doesn’t belong in
it.
If you really, really need to apply that
rule, you should now also load the Security Helper, which contains xss_clean() as
a regular function and therefore can be also used as a validation rule.
Step
14: Update usage of Input Class’s get_post() method
Previously, the Input Class method get_post() was searching first in POST data, then in GET
data. This method has been modified so that it searches in GET then in POST, as
its name suggests.
A method has been added, post_get(), which searches in POST then in GET, as get_post() was
doing before.
Step 15:
Update usage of Directory Helper’s directory_map() function
In the resulting array, directories now end
with a trailing directory separator (i.e. a slash, usually).
Step
16: Update usage of Database Forge’s drop_table() method
Up until now, drop_table() added an IF
EXISTS clause by default or it didn’t work at all with some drivers. In
CodeIgniter 3.0, the IF EXISTS condition is no longer added by default and has
an optional second parameter that allows that instead and is set to FALSE by
default.
If your application relies on IF EXISTS,
you’ll have to change its usage.
// Now produces just DROP TABLE `table_name`
$this->dbforge->drop_table('table_name');
// Produces DROP TABLE IF EXISTS `table_name`
$this->dbforge->drop_table('table_name', TRUE);
Note: The given example uses MySQL-specific syntax, but it should work across all drivers with the exception of ODBC.
Step
17: Change usage of Email library with multiple emails
The Email Library will automatically clear the set parameters after successfully
sending emails. To override this behaviour, pass FALSE
as the first parameter in the send()method:
if ($this->email->send(FALSE))
{
// Parameters won't be cleared
}
Step
18: Update your Form_validation language lines
Two improvements have been made to
the Form Validation Library‘s language files and error messages format:
v Language Library line keys now must be prefixed with form_validation_ in
order to avoid collisions:
// Old
$lang['rule'] = ...
// New
$lang['form_validation_rule'] = ...
v
The error messages
format has been changed to use named parameters, to allow more flexibility than
what sprintf() offers:
// Old
'The %s field does not match the %s field.'
// New
'The {field} field does not match the {param} field.'
Note: The old formatting still works, but the non-prefixed line keys are DEPRECATED and scheduled for removal in CodeIgniter 3.1+. Therefore you’re encouraged to update its usage sooner rather than later.
Step
19: Make sure your ‘base_url’ config value is not empty
When $config['base_url'] is not
set, CodeIgniter tries to automatically detect what your website’s base URL is.
This is done purely for convenience when you are starting development of a new
application.
Auto-detection is never reliable and also
has security implications, which is why you should always have
it manually configured!
One of the changes in CodeIgniter 3.0.3 is
how this auto-detection works, and more specifically it now falls back to the
server’s IP address instead of the hostname requested by the client. Therefore,
if you’ve ever relied on auto-detection, it will change how your website works
now.
In case you need to allow e.g. multiple domains,
or both http:// and https:// prefixes to be
dynamically used depending on the request, remember that application/config/config.php is still a PHP
script
$allowed_domains = array('domain1.tld', 'domain2.tld');
$default_domain = 'domain1.tld';
if (in_array($_SERVER['HTTP_HOST'], $allowed_domains, TRUE))
{
$domain = $_SERVER['HTTP_HOST'];
}
else
{
$domain = $default_domain;
}
if ( ! empty($_SERVER['HTTPS']))
{
$config['base_url'] = 'https://'.$domain;
}
else
{
$config['base_url'] = 'http://'.$domain;
}
Step 20:
Remove usage of (previously) deprecated functionalities
In addition to
the $autoload['core'] configuration setting, there’s a number of
other functionalities that have been removed in CodeIgniter 3.0.0:
v The
SHA1 library
The previously deprecated SHA1 library has
been removed, alter your code to use PHP’s native sha1() function to
generate a SHA1 hash.
v The
EXT constant
Usage of the EXT constant has
been deprecated since dropping support for PHP 4. There’s no longer a need to
maintain different filename extensions and in this new CodeIgniter version,
the EXT constant has been removed. Use just ‘.php’ instead.
v Smiley
helper
The Smiley Helper is a legacy feature from EllisLab’s ExpressionEngine product.
However, it is too specific for a general purpose framework like CodeIgniter
and as such it is now deprecated.
Also, the previously deprecated js_insert_smiley() (since version 1.7.2)
is now removed.
v The
Encrypt library
Following numerous vulnerability reports,
the Encrypt Library has been deprecated and a new, Encryption Library is added to take its place.
The new library requires either the MCrypt extension (and
/dev/urandom availability) or PHP 5.3.3 and the OpenSSL extension. While this might be rather
inconvenient, it is a requirement that allows us to have properly implemented
cryptographic functions.
v The
Cart library
The Cart Library, similarly to the Smiley Helper is too specific for CodeIgniter. It is now deprecated and
scheduled for removal in CodeIgniter 3.1+.
Note: The library is still available, but
you’re strongly encouraged to remove its usage sooner rather than later.
v Database
drivers ‘mysql’, ‘sqlite’, ‘mssql’, ‘pdo/dblib’
The mysql driver utilizes the old ‘mysql’ PHP extension, known for its aging code base and many
low-level problems. The extension is deprecated as of PHP 5.5 and CodeIgniter
deprecates it in version 3.0, switching the default configured MySQL driver
to mysqli.
Please use either the ‘mysqli’ or ‘pdo/mysql’ drivers
for MySQL. The old ‘mysql’
driver will be removed at some point in the future.
The sqlite, mssql and pdo/dblib (also
known as pdo/mssql or pdo/sybase) drivers all
depend on PHP extensions that for different reasons no longer exist since PHP
5.3.
Therefore we are now deprecating these
drivers as we will have to remove them in one of the next CodeIgniter versions.
You should use the more advanced, sqlite3, sqlsrvor pdo/sqlsrv drivers
respectively.
Note: These drivers are still available,
but you’re strongly encouraged to switch to other ones sooner rather than
later.
v Security
helper do_hash()
Security Helper function do_hash() is now just
an alias for PHP’s native hash() function.
It is deprecated and scheduled for removal in CodeIgniter 3.1+.
Note:This function is still available, but
you’re strongly encouraged to remove its usage sooner rather than later.
v The
$config[‘global_xss_filtering’] setting
As already explained above, XSS filtering should not be done on input data, but on
output instead. Therefore, the $config['global_xss_filtering'],
which automatically filters input data, is considered a bad practice and is now
deprecated.
Instead, you should manually escape any
user-provided data via the xss_clean() function when you need to output it,
or use a library like HTML Purifier that does that for you.
Note:The setting is still available, but
you’re strongly encouraged to remove its usage sooner rather than later.
v File
helper read_file()
File Helper function read_file() is now
just an alias for PHP’s native file_get_contents() function. It is
deprecated and scheduled for removal in CodeIgniter 3.1+.
Note: This function is still available, but
you’re strongly encouraged to remove its usage sooner rather than later.
v String
helper repeater()
String Helper function repeater() is now just an alias for PHP’s
native str_repeat() function. It is deprecated and scheduled for
removal in CodeIgniter 3.1+.
Note:This function is still available, but
you’re strongly encouraged to remove its usage sooner rather than later.
v String
helper trim_slashes()
String Helper function trim_slashes() is now just an alias for PHP’s
native trim() function (with a slash passed as its second argument).
It is deprecated and scheduled for removal in CodeIgniter 3.1+.
Note: This function is still available, but
you’re strongly encouraged to remove its usage sooner rather than later.
v Form
helper form_prep()
Form Helper function form_prep() is now just an alias for common function html_escape().
It is deprecated and will be removed in the future.
Please use html_escape() instead.
Note: This function is still available, but
you’re strongly encouraged to remove its usage sooner rather than later.
v Email
helper functions
Email Helper only has two functions
Both of them are now aliases for PHP’s
native filter_var() and mail() functions, respectively.
Therefore the Email Helper altogether
is being deprecated and is scheduled for removal in CodeIgniter 3.1+.No
Note: These functions are still available,
but you’re strongly encouraged to remove their usage sooner rather than later.
v Date
helper standard_date()
Date
Helper function standard_date() is being deprecated due to the availability
of native PHP constants,
which when combined with date() provide the same functionality.
Furthermore, they have the exact same names as the ones supported by standard_date(). Here are examples of how to replace
its usage:
// Old way
standard_date(); // defaults to standard_date('DATE_RFC822', now());
// Replacement
date(DATE_RFC822, now());
// Old way
standard_date('DATE_ATOM', $time);
// Replacement
date(DATE_ATOM, $time);
Note: This function is still available, but you’re strongly encouraged to remove its usage sooner rather than later as it is scheduled for removal in CodeIgniter 3.1+.
v HTML
helpers nbs(), br()
HTML Helper functions nbs() and br() are
just aliases for the native str_repeat() function used with and <br > respectively.
Because
there’s no point in just aliasing native PHP functions, they are now deprecated
and scheduled for removal in CodeIgniter 3.1+.
Note: These
functions are still available, but you’re strongly encouraged to remove their
usage sooner rather than later.
v Pagination
library ‘anchor_class’ setting
The Pagination Library now supports adding pretty much any HTML
attribute to your anchors via the ‘attributes’ configuration setting. This
includes passing the ‘class’ attribute and using the separate ‘anchor_class’
setting no longer makes sense. As a result of that, the
‘anchor_class’ setting is now deprecated and scheduled for removal in
CodeIgniter 3.1+.
Note:This
setting is still available, but you’re strongly encouraged to remove its usage
sooner rather than later.
v String
helper random_string() types ‘unique’ and ‘encrypt’
When using
the String Helper function random_string(), you should no longer pass the unique and encrypt randomization
types. They are only aliases for md5 and sha1respectively
and are now deprecated and scheduled for removal in CodeIgniter 3.1+.
Note:These
options are still available, but you’re strongly encouraged to remove their
usage sooner rather than later.
v URL
helper url_title() separators ‘dash’ and ‘underscore’
When
using the URL Helper function url_title(), you should no longer pass dash or underscore as the
word separator. This function will now accept any character and you should just
pass the chosen character directly, so you should write ‘-‘ instead of ‘dash’
and ‘_’ instead of ‘underscore’.
dash and underscore now act
as aliases and are deprecated and scheduled for removal in CodeIgniter 3.1+.
Note:These
options are still available, but you’re strongly encouraged to remove their
usage sooner rather than later.
v Session
Library method all_userdata()
As seen
in the Change Log, Session Library method userdata() now allows you to fetch all userdata by
simply omitting its parameter:
$this->session->userdata();
This
makes the all_userdata() method redudant and therefore it is now
just an alias for userdata() with the above shown usage and is being
deprecated and scheduled for removal in CodeIgniter 3.1+.
Note: This
method is still available, but you’re strongly encouraged to remove its usage
sooner rather than later.
v Database
Forge method add_column() with an AFTER clause
If you
have used the third parameter for Database Forge method add_column() to add a field for an AFTER clause, then
you should change its usage.
That
third parameter has been deprecated and scheduled for removal in CodeIgniter
3.1+.
You
should now put AFTER clause field names in the field definition array instead:
// Old usage:
$field = array(
'new_field' => array('type' => 'TEXT')
);
$this->dbforge->add_column('table_name', $field, 'another_field');
// New usage:
$field = array(
'new_field' => array('type' => 'TEXT', 'after' => 'another_field')
);
$this->dbforge->add_column('table_name', $field);
The parameter is still available, but you’re strongly encouraged to remove its usage sooner rather than later.
Note: This is for MySQL and CUBRID databases only! Other drivers don’t support this clause and will silently ignore it.
v URI
Routing methods fetch_directory(), fetch_class(), fetch_method()
With
properties CI_Router::$directory, CI_Router::$class and CI_Router::$method being public and their
respective fetch_*() no longer doing anything else
to just return the properties - it doesn’t make sense to keep them.
Those are all internal, undocumented
methods, but we’ve opted to deprecate them for now in order to maintain
backwards-compatibility just in case. If some of you have utilized them, then
you can now just access the properties instead:
$this->router->directory;
$this->router->class;
$this->router->method;
Note: Those methods are still available, but you’re strongly encouraged to remove their usage sooner rather than later.
v Input
library method is_cli_request()
Calls to the CI_Input::is_cli_request() method are necessary at many
places in the CodeIgniter internals and this is often before the Input Library is loaded. Because of that, it is being
replaced by a common function named is_cli() and this method is now just an alias.
The new
function is both available at all times for you to use and shorter to type.
// Old
$this->input->is_cli_request();
// New
is_cli();
CI_Input::is_cli_request() is now now deprecated and scheduled for
removal in CodeIgniter 3.1+.
Mote:This
method is still available, but you’re strongly encouraged to remove its usage
sooner rather than later.
v Config
library method system_url()
Usage
of CI_Config::system_url() encourages insecure coding
practices. Namely, your CodeIgniter system/ directory shouldn’t be
publicly accessible from a security point of view.
Because
of this, this method is now deprecated and scheduled for removal in CodeIgniter
3.1+.
This
method is still available, but you’re strongly encouraged to remove its usage
sooner rather than later.
v The
Javascript library
The Javascript Library has always had an ‘experimental’ status and
was never really useful, nor a proper solution.
It is now deprecated and
scheduled for removal in CodeIgniter 3.1+.
This
library is still available, but you’re strongly encouraged to remove its usage
sooner rather than later.
Step
21: Check your usage of Text helper highlight_phrase()
The default HTML tag
used by Text Helper function highlight_phrase() has been changed from <strong> to the new HTML5 tag <mark>.
Unless
you’ve used your own highlighting tags, this might cause trouble for your
visitors who use older web browsers such as Internet Explorer 8. We therefore
suggest that you add the following code to your CSS files in order to avoid
backwards compatibility with old browsers:
mark {
background: #ff0;
color: #000;
};
0 comments:
Post a Comment