CodeIgniter User Guide Version 2.2.0


This page describes some "best practices" regarding web security, and details CodeIgniter's internal security features.

URI Security

CodeIgniter is fairly restrictive regarding which characters it allows in your URI strings in order to help minimize the possibility that malicious data can be passed to your application. URIs may only contain the following:


During system initialization all global variables are unset, except those found in the $_GET, $_POST, and $_COOKIE arrays. The unsetting routine is effectively the same as register_globals = off.


In production environments, it is typically desirable to disable PHP's error reporting by setting the internal error_reporting flag to a value of 0. This disables native PHP errors from being rendered as output, which may potentially contain sensitive information.

Setting CodeIgniter's ENVIRONMENT constant in index.php to a value of 'production' will turn off these errors. In development mode, it is recommended that a value of 'development' is used. More information about differentiating between environments can be found on the Handling Environments page.


The magic_quotes_runtime directive is turned off during system initialization so that you don't have to remove slashes when retrieving data from your database.

Best Practices

Before accepting any data into your application, whether it be POST data from a form submission, COOKIE data, URI data, XML-RPC data, or even data from the SERVER array, you are encouraged to practice this three step approach:

  1. Filter the data as if it were tainted.
  2. Validate the data to ensure it conforms to the correct type, length, size, etc. (sometimes this step can replace step one)
  3. Escape the data before submitting it into your database.

CodeIgniter provides the following functions to assist in this process: