CodeIgniter is a free PHP development framework. A commercial version named ExpressionEngine is available from the website.
Backup and restoration
21 September 2019 - 20MBChanges
- Changed CI_Log to append PHP_EOL instead of \n at the end of log messages.
- Improved performance in Cache Library ‘redis’ driver with non-scalar variables.
- Altered the Session Library ‘files’ driver to log error and trigger a session start failure instead of throwing an Exception in case of unusable $config['sess_save_path'].
- Updated the Session and Cache libraries’ ‘redis’ driver to work with phpRedis 5.
- Database Forge method modify_column() produced erroneous SQL for DEFAULT attribute changes under PostgreSQL, Firebird.
- Database Forge didn’t handle column nullability with the ‘oci8’, ‘pdo/oci’ drivers.
- Database driver ‘pdo/pgsql’ produced incorrect DSNs when constructing from a configuration array.
- Session Library ‘redis’ driver too often failed with locking-related errors that could’ve been avoided.
- Session Library triggered an E_WARNING message about changing session.save_path during an active session when it fails to obtain a lock.
- Fixed a bug where Session Library ‘database’ driver didn’t trigger a failure if it can’t obtain a lock.
- Form Validation Library rule valid_url accepted digit-only domains due to a PHP bug.
- Cache Library ‘redis’ driver methods increment(), decrement() ignored their $offset parameter.
- Session Library ‘redis’ only attempted to validate session IDs in case the connection to Redis failed.
- Database Results method custom_result_object() didn’t properly handle empty result sets, triggering E_WARNING messages on PHP 7.2+.
- Database Results method field_data() triggered an E_NOTICE error with PDO when a field type is not recognized by PHP.
- Query Builder method list_tables() triggered an SQL syntax error under MySQL when the database schema is a numeric string.
- Fixed a bug where Security Class would trigger an E_WARNING if CSRF inputs are arrays instead of strings.
Read more: https://codeigniter.com/user_guide/changelog.html
18 January 2019 - 10MB
- added 'ssl_verify' support to the 'pdo/mysql' Database driver
- renamed Inflector Helper function 'is_countable()' to 'word_is_countable()' due to the former colliding with one introduced in PHP 7.3.0
Read more: https://forum.codeigniter.com/thread-72626.html
12 June 2018 - 10MB3.1.9
- Updated the Email, Form Validation and Query builder libraries.
- Session library and URL helper
- Updated the Security, Email, and Database libraries; and the URL helper.
- Database, email, form validation, image manipulation, query builder, and xml-rpc libraries.
Read more: https://forum.codeigniter.com/thread-70877.html
5 March 2018 - 10MBHighlights
- Updated the Cache
- EmailForm Validation
- Loader and Pagination libraries
- Deprecated the CAPTCHA helper's create_captcha() function
- Query Builder and Session libraries
- URL helper
- $config['allow_get_array'] handling
Read more: https://forum.codeigniter.com/thread-69755.html
display more versions
22 February 2018 - 10MB3.1.6
- Updated the 'redis' and 'memcached' session drivers to reduce the potential for locking race conditions
- Deprecated the cache_apc driver
- Query Builder libraries
- Fixed email address handling in the form validation library
- Form helper
- Database Forge
- Email Query Builder
- XML-RPC libraries
- Inflector helper
- Fixed byte-safety handling in the encryption code, and a header injection
- Image library
- HTML Text & common functions helpers
- Updated the Query Builder and Profiler
- Fixed an email handling issue, and an XSS vulnerability, as well as some CSRF hardening
- File Uploading
- Image Manipulation
- Query Builder
- Date helper and the bootstrap file
- Fixed some xss_clean() vulnerabilities in the Security library
- Now allow PHP4 style constructors for routes
- Query Builder
- Session library
Read more: https://forum.codeigniter.com/thread-68991.html
24 August 2016 - 7MBThis release includes bug fixes for the Cache, Config, Database, Database Forge, Email, File Uploading, Form Validation, Image Manipulation, Input Library, Query Builder, Session, and User Agent libraries; as well as the file and path helpers, and some common functions. Enhancements have been made to the Database Forge, Encryption, Image Manipulation and Session libraries.
Read more: http://forum.codeigniter.com/thread-65803.html
15 March 2016 - 7MBCore
- Changed Loader Library to allow $autoload['drivers'] assigning with custom property names.
- Changed Loader Library to ignore variables prefixed with ‘_ci_’ when loading views.
- Updated the Session Library to produce friendlier error messages on failures with drivers other than ‘files’.
- Added a $batch_size parameter to the insert_batch() method (defaults to 100).
- Added a $batch_size parameter to the update_batch() method (defaults to 100).
Bug fixes for 3.0.5
- Fixed a bug (#4391) - Email Library method reply_to() didn’t apply Q-encoding.
- Fixed a bug (#4384) - Pagination Library ignored (possible) cur_page configuration value.
- Fixed a bug (#4395) - Query Builder method count_all_results() still fails if an ORDER BY condition is used.
- Fixed a bug (#4399) - Query Builder methods insert_batch(), update_batch() produced confusing error messages when called with no data and db_debug is enabled.
- Fixed a bug (#4401) - Query Builder breaks WHERE and HAVING conditions that use IN() with strings containing a closing parenthesis.
- Fixed a regression in Form Helper functions set_checkbox(), set_radio() where “checked” inputs aren’t recognized after a form submit.
- Fixed a bug (#4407) - Text Helper function word_censor() doesn’t work under PHP 7 if there’s no custom replacement provided.
- Fixed a bug (#4415) - Form Validation Library rule valid_url didn’t accept URLs with IPv6 addresses enclosed in square brackets under PHP 5 (upstream bug).
- Fixed a bug (#4427) - CAPTCHA Helper triggers an error if the provided character pool is too small.
- Fixed a bug (#4430) - File Uploading Library option file_ext_tolower didn’t work.
- Fixed a bug (#4431) - Query Builder method join() discarded opening parentheses.
- Fixed a bug (#4424) - Session Library triggered a PHP warning when writing a newly created session with the ‘redis’ driver.
- Fixed a bug (#4437) - Inflector Helper function humanize() didn’t escape its $separator parameter while using it in a regular expression.
- Fixed a bug where Session Library didn’t properly handle its locks’ statuses with the ‘memcached’ driver.
- Fixed a bug where Session Library triggered a PHP warning when writing a newly created session with the ‘memcached’ driver.
- Fixed a bug (#4449) - Query Builder method join() breaks conditions containing IS NULL, IS NOT NULL.
- Fixed a bug (#4491) - Session Library didn’t clean-up internal variables for emulated locks with the ‘redis’ driver.
- Fixed a bug where Session Library didn’t clean-up internal variables for emulated locks with the ‘memcached’ driver.
- Fixed a bug where Database transactions didn’t work with the ‘ibase’ driver.
- Fixed a bug (#4475) - Security Library method strip_image_tags() preserves only the first URL character from non-quoted src attributes.
- Fixed a bug where Profiler Library didn’t apply htmlspecialchars() to all displayed inputs.
- Fixed a bug (#4277) - Cache Library triggered fatal errors if accessing the Memcache(d) and/or Redis driver and they are not available on the system.
- Fixed a bug where Cache Library method is_supported() logged an error message on when it returns FALSE for the APC and Wincache drivers.
- Updated Security Library method get_random_bytes() to use PHP 7’s random_bytes() function when possible.
- Updated Encryption Library method create_key() to use PHP 7’s random_bytes() function when possible.
- Added support for OFFSET-FETCH with Oracle 12c for the ‘oci8’ and ‘pdo/oci’ drivers.
- Added support for the new MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT constant from PHP 5.6.16 for the ‘mysqli’ driver.
Bug fixes for 3.0.4
- Fixed a bug (#4212) - Query Builder method count_all_results() could fail if an ORDER BY condition is used.
- Fixed a bug where Form Helper functions set_checkbox(), set_radio() didn’t “uncheck” inputs on a submitted form if the default state is “checked”.
- Fixed a bug (#4217) - Config Library method base_url() didn’t use proper formatting for IPv6 when it falls back to $_SERVER['SERVER_ADDR'].
- Fixed a bug where CAPTCHA Helper entered an infinite loop while generating a random string.
- Fixed a bug (#4223) - Database method simple_query() blindly executes queries without checking if the connection was initialized properly.
- Fixed a bug (#4244) - Email Library could improperly use “unsafe” US-ASCII characters during Quoted-printable encoding.
- Fixed a bug (#4245) - Database Forge couldn’t properly handle SET and ENUM type fields with string values.
- Fixed a bug (#4283) - String Helper function alternator() couldn’t be called without arguments.
- Fixed a bug (#4306) - Database method version() didn’t work properly with the ‘mssql’ driver.
- Fixed a bug (#4039) - Session Library could generate multiple (redundant) warnings in case of a read failure with the ‘files’ driver, due to a bug in PHP.
- Fixed a bug where Session Library didn’t have proper error handling on PHP 5 (due to a PHP bug).
- Fixed a bug (#4312) - Form Validation Library didn’t provide error feedback for failed validation on empty requests.
- Fixed a bug where Database method version() returned banner text instead of only the version number with the ‘oci8’ and ‘pdo/oci’ drivers.
- Fixed a bug (#4331) - Database method error() didn’t really work for connection errors with the ‘mysqli’ driver.
- Fixed a bug (#4343) - Email Library failing with a “More than one ‘from’ person” message when using sendmail.
- Fixed a bug (#4350) - Loader Library method model() logic directly instantiated the CI_Model or MY_Model classes.
- Fixed a bug (#4337) - Database method query() didn’t return a result set for queries with the RETURNING statement on PostgreSQL.
- Fixed a bug (#4362) - Session Library doesn’t properly maintain its state after ID regeneration with the ‘redis’ and ‘memcached’ drivers on PHP 7.
- Fixed a bug (#4349) - Database drivers ‘mysql’, ‘mysqli’, ‘pdo/mysql’ discard other sql_mode flags when “stricton” is enabled.
- Fixed a bug (#4349) - Database drivers ‘mysql’, ‘mysqli’, ‘pdo/mysql’ don’t turn off STRICT_TRANS_TABLES on MySQL 5.7+ when “stricton” is disabled.
- Fixed a bug (#4374) - Session Library with the ‘database’ driver could be affected by userspace Query Builder conditions.
- Fixed an XSS attack vector in Security Library method xss_clean().
- Changed Config Library method base_url() to fallback to $_SERVER['SERVER_ADDR'] when $config['base_url'] is empty in order to avoid Host header injections.
- Changed CAPTCHA Helper to use the operating system’s PRNG when possible.
- Optimized Database Utility method csv_from_result() for speed with larger result sets.
- Added proper return values to Database Transactions method trans_start().
Bug fixes for 3.0.3
- Fixed a bug (#4170) - Database method insert_id() could return an identity from the wrong scope with the ‘sqlsrv’ driver.
- Fixed a bug (#4179) - Session Library doesn’t properly maintain its state after ID regeneration with the ‘database’ driver on PHP 7.
- Fixed a bug (#4173) - Database Forge method add_key() didn’t allow creation of non-PRIMARY composite keys after the “bugfix” for #3968.
- Fixed a bug (#4171) - Database Transactions didn’t work with nesting in methods trans_begin(), trans_commit(), trans_rollback().
- Fixed a bug where Database Transaction methods trans_begin(), trans_commit(), trans_rollback() ignored failures.
- Fixed a bug where all Database Transaction methods returned TRUE while transactions are actually disabled.
- Fixed a bug where common function html_escape() modified keys of its array inputs.
- Fixed a bug (#4192) - Email Library wouldn’t always have proper Quoted-printable encoding due to a bug in PHP’s own mb_mime_encodeheader() function.
- Fixed a number of XSS attack vectors in Security Library method xss_clean() (thanks to Frans Rosén from Detectify).
- Updated the application/config/constants.php file to check if constants aren’t already defined before doing that.
- Changed Loader Library method model() to only apply ucfirst() and not strtolower() to the requested class name.
- Changed Config Library methods base_url(), site_url() to allow protocol-relative URLs by passing an empty string as the protocol.
Bug fixes for 3.0.2
- Fixed a bug (#2284) - Database method protect_identifiers() breaks when Query Builder isn’t enabled.
- Fixed a bug (#4052) - Routing with anonymous functions didn’t work for routes that don’t use regular expressions.
- Fixed a bug (#4056) - Input Library method get_request_header() could not return a value unless request_headers() was called beforehand.
- Fixed a bug where the Database Class entered an endless loop if it fails to connect with the ‘sqlsrv’ driver.
- Fixed a bug (#4065) - Database method protect_identifiers() treats a traling space as an alias separator if the input doesn’t contain ‘ AS ‘.
- Fixed a bug (#4066) - Cache Library couldn’t fallback to a backup driver if the primary one is Memcache(d) or Redis.
- Fixed a bug (#4073) - Email Library method send() could return TRUE in case of an actual failure when an SMTP command fails.
- Fixed a bug (#4086) - Query Builder didn’t apply dbprefix to LIKE conditions if the pattern included spaces.
- Fixed a bug (#4091) - Cache Library ‘file’ driver could be tricked into accepting empty cache item IDs.
- Fixed a bug (#4093) - Query Builder modified string values containing ‘AND’, ‘OR’ while compiling WHERE conditions.
- Fixed a bug (#4096) - Query Builder didn’t apply dbprefix when compiling BETWEEN conditions.
- Fixed a bug (#4105) - Form Validation Library didn’t allow pipe characters inside “bracket parameters” when using a string ruleset.
- Fixed a bug (#4109) - Routing to default_controller didn’t work when enable_query_strings is set to TRUE.
- Fixed a bug (#4044) - Cache Library ‘redis’ driver didn’t catch RedisException that could be thrown during authentication.
- Fixed a bug (#4120) - Database method error() didn’t return error info when called after query() with the ‘mssql’ driver.
- Fixed a bug (#4116) - Pagination Library set the wrong page number on the “data-ci-pagination-page” attribute in generated links.
- Fixed a bug where Pagination Library added the ‘rel=”start”’ attribute to the first displayed link even if it’s not actually linking the first page.
- Fixed a bug (#4137) - Error Handling breaks for the new Error exceptions under PHP 7.
- Fixed a bug (#4126) - Form Validation Library method reset_validation() discarded validation rules from config files.
- Added DoS mitigation to hash_pbkdf2() compatibility function.
- Added list_fields() support for SQLite (‘sqlite3’ and ‘pdo_sqlite’ drivers).
- Added SSL connection support for the ‘mysqli’ and ‘pdo_mysql’ drivers.
- File Uploading Library changes:
- Changed method set_error() to accept a custom log level (defaults to ‘error’).
- Errors “no_file_selected”, “file_partial”, “stopped_by_extension”, “no_file_types”, “invalid_filetype”, “bad_filename” are now logged at the ‘debug’ level.
- Errors “file_exceeds_limit”, “file_exceeds_form_limit”, “invalid_filesize”, “invalid_dimensions” are now logged at the ‘info’ level.
- Added ‘is_resource’ to the available expectations in Unit Testing Library.
- Added Unicode support to URL Helper function url_title().
- Added support for passing the “extra” parameter as an array to all Form Helper functions that use it.
- Added support for defining a list of specific query parameters in $config['cache_query_string'] for the Output Library.
- Added class existence and inheritance checks to CI_Loader::model() in order to ease debugging in case of name collisions.
Bug fixes for 3.0.1
- Fixed a bug (#3733) - Autoloading of libraries with aliases didn’t work, although it was advertised to.
- Fixed a bug (#3744) - Redis Caching driver didn’t handle authentication failures properly.
- Fixed a bug (#3761) - URL Helper function anchor() didn’t work with array inputs.
- Fixed a bug (#3773) - db_select() didn’t work for MySQL with the PDO Database driver.
- Fixed a bug (#3771) - Form Validation Library was looking for a ‘form_validation_’ prefix when trying to translate field name labels.
- Fixed a bug (#3787) - FTP Library method delete_dir() failed when the target has subdirectories.
- Fixed a bug (#3801) - Output Library method _display_cache() incorrectly looked for the last modified time of a directory instead of the cache file.
- Fixed a bug (#3816) - Form Validation Library treated empty string values as non-existing ones.
- Fixed a bug (#3823) - Session Library drivers Redis and Memcached didn’t properly handle locks that are blocking the request for more than 30 seconds.
- Fixed a bug (#3846) - Image Manipulation Library method image_mirror_gd() didn’t properly initialize its variables.
- Fixed a bug (#3854) - field_data() didn’t work properly with the Oracle (OCI8) database driver.
- Fixed a bug in the Database Utility Class method csv_from_result() didn’t work with a whitespace CSV delimiter.
- Fixed a bug (#3890) - Input Library method get_request_header() treated header names as case-sensitive.
- Fixed a bug (#3903) - Form Validation Library ignored “unnamed” closure validation rules.
- Fixed a bug (#3904) - Form Validation Library ignored “named” callback rules when the field is empty and there’s no ‘required’ rule.
- Fixed a bug (#3922) - Email and XML-RPC libraries could enter an infinite loop due to PHP bug #39598.
- Fixed a bug (#3913) - Cache Library didn’t work with the direct $this->cache->$driver_name->method() syntax with Redis and Memcache(d).
- Fixed a bug (#3932) - Query Builder didn’t properly compile WHERE and HAVING conditions for field names that end with “and”, “or”.
- Fixed a bug in Query Builder where delete() didn’t properly work on multiple tables with a WHERE condition previously set via where().
- Fixed a bug (#3952) - Database method list_fields() didn’t work with SQLite3.
- Fixed a bug (#3955) - Cache Library methods increment() and decrement() ignored the ‘key_prefix’ setting.
- Fixed a bug (#3963) - Unit Testing Library wrongly tried to translate filenames, line numbers and notes values in test results.
- Fixed a bug (#3965) - File Uploading Library ignored the “encrypt_name” setting when “overwrite” is enabled.
- Fixed a bug (#3968) - Database Forge method add_key() didn’t treat array inputs as composite keys unless it’s a PRIMARY KEY.
- Fixed a bug (#3715) - Pagination Library could generate broken link when a protocol-relative base URL is used.
- Fixed a bug (#3828) - Output Library method delete_cache() couldn’t delete index page caches.
- Fixed a bug (#3704) - Database method stored_procedure() in the ‘oci8’ driver didn’t properly bind parameters.
- Fixed a bug (#3778) - Download Helper function force_download() incorrectly sent a Pragma response header.
- Fixed a bug (#3752) - $routing['directory'] overrides were not properly handled and always resulted in a 404 “Not Found” error.
- Fixed a bug (#3279) - Query Builder methods update() and get_compiled_update() did double escaping on the table name if it was provided via from().
- Fixed a bug (#3991) - $config['rewrite_short_tags'] never worked due to function_exists('eval') always returning FALSE.
- Fixed a bug where the File Uploading Library library will not properly configure its maximum file size unless the input value is of type integer.
- Fixed a bug (#4000) - Pagination Library didn’t enable “rel” attributes by default if no attributes-related config options were used.
- Fixed a bug (#4004) - URI Class didn’t properly parse the request URI if it contains a colon followed by a digit.
- Fixed a bug in Query Builder where the $escape parameter for some methods only affected field names.
- Fixed a bug (#4012) - Query Builder methods where_in(), or_where_in(), where_not_in(), or_where_not_in() didn’t take into account previously cached WHERE conditions when query cache is in use.
- Fixed a bug (#4015) - Email Library method set_header() didn’t support method chaining, although it was advertised.
- Fixed a bug (#4027) - Routing with HTTP verbs only worked if the route request method was declared in all-lowercase letters.
- Fixed a bug (#4026) - Database Transactions always rollback if any previous query() call fails.
- Fixed a bug (#4023) - String Helper function increment_string() didn’t escape its $separator parameter.
Read more: http://forum.codeigniter.com/thread-64610.html
31 March 2015 - 7MB
- The framework is released under the MIT license
- The database drivers have had extensive refactoring
- PDO is fully functional with subdrivers
- There is a new Session library
- There is a new Encryption library
- The unit testing has been beefed up, and code coverage improved
- PHP 5.4 or newer is recommended, but CI will still work on PHP 5.2.4
Read more: http://forum.codeigniter.com/thread-1657.html
17 February 2015 - 7MBThis is a security release for the 2.x branch. XSS handling has been improved and timezones were updated.
- Improved security in xss_clean().
- Updated timezones in Date Helper.
- Fixed a bug (#3094) - CI_Input::_clean_input_data() breaks encrypted session cookies.
- Fixed a bug (#3309) - CI_Security::xss_clean() used an overly-invasive pattern to strip JS event handlers.
- Fixed a bug (#2771) - CI_Security::xss_clean() didn't take into account HTML5 entities.
- Fixed a bug (#73) - CI_Security::sanitize_filename() could be tricked by an XSS attack.
- Fixed a bug (#2681) - CI_Security::entity_decode() used the PREG_REPLACE_EVAL flag, which is deprecated since PHP 5.5.
- Fixed a bug (#3302) - Internal function get_config() triggered an E_NOTICE message on PHP 5.6.
- Fixed a bug (#2508) - Config Library didn't properly detect if the current request is via HTTPS.
- Fixed a bug (#3314) - SQLSRV Database driver's method count_all() didn't escape the supplied table name.
- Fixed a bug (#3404) - MySQLi Database driver's method escape_str() had a wrong fallback to mysql_escape_string() when there was no active connection.
- Fixed a bug in the Session Library where session ID regeneration occurred during AJAX requests.
2.2.0(major version) (security release)
5 June 2014 - 7MBThis is a security release for the 2.x branch. The Encryption Class now requires the Mcrypt extension, so please ensure your environment is ready for the update.
- Security: The xor_encode() method in the Encrypt Class has been removed. The Encrypt Class now requires the Mcrypt extension to be installed.
- Security: The Session Library now uses HMAC authentication instead of a simple MD5 checksum.
- Fixed an edge case (#2583) in the Email Library where Suhosin blocked messages sent via mail() due to trailing newspaces in headers.
- Fixed a bug (#696) - make oci_execute() calls inside num_rows() non-committing, since they are only there to reset which row is next in line for oci_fetch calls and thus don't need to be committed.
- Fixed a bug (#2689) - Database Forge Class methods create_table(), drop_table() and rename_table() produced broken SQL for tge 'sqlsrv' driver.
- Fixed a bug (#2427) - PDO Database driver didn't properly check for query failures.
- Fixed a bug in the Session Library where authentication was not performed for encrypted cookies.
8 July 2013 - 7MBGeneral Changes
- Improved security in xss_clean().
- Fixed a bug (#1936) - Migrations Library method latest() had a typo when retrieving language values.
- Fixed a bug (#2021) - Migrations Library configuration file was mistakenly using Windows style line feeds.
- Fixed a bug (#1969) - Active Record method set_update_batch() was using the incorrect variables and would cause an error.
- Fixed a bug (#2337) - Email Library method print_debugger() was not using htmlspecialchar() when being shown in the browser.
8 October 2012 - 7MB
29 June 2012 - 7MB
13 June 2012 - 7MB
15 November 2011 - 7MB
20 August 2011 - 7MB
8 April 2011 - 7MB
15 March 2011 - 7MB
1 February 2011 - 7MB
15 December 2010 - 3MB
11 September 2009 - 3MB
19 February 2009 - 3MB
1 November 2008 - 3MB
30 June 2008 - 3MB
14 May 2008 - 3MB
18 February 2008 - 3MB
4 February 2008 - 3MB
30 July 2007 - 3MB
28 April 2007 - 3MB
23 February 2007 - 3MB
13 December 2006 - 3MB
3 November 2006 - 3MB
3 November 2006 - 3MB
23 October 2006 - 3MB
Our Web hostings are compatible with
100% SSD Web Hosting
100 GB and +
Advanced management of EV and DV SSL certificates
10 GB of VOD
2 CPU and +
6 Gb (RAM) and +
100% dedicated resources
Infomaniak manages your server
from CHF 42.- / month
Prices in CHF