CI framework source code reading --------- Input. php & lt ;? Phpif (! Defined (BASEPATH) exit (Nodirectscriptaccessallowed); *** CodeIgniter *** Anopensourceapplicationdevelopmentframeworkfor CI framework source code reading --------- Input. php
_ Allow_get_array = (config_item ('allow _ get_array ') = TRUE); $ this-> _ enable_xss = (config_item ('global _ xss_filtering') = TRUE ); $ this-> _ enable_csrf = (config_item ('csrf _ protection ') = TRUE); // clear the globals variable. when globals_register is enabled, this configuration is disabled. // Enable a security protection global $ SEC; $ this-> security = & $ SEC; // Do we need the UTF-8 class? If (UTF8_ENABLED === TRUE) {global $ UNI; $ this-> uni = & $ UNI;} // Sanitize global arrays $ this-> _ sanitize_globals ();} // --------------------------------/*** Fetch from array * get the value from $ array, if xss_clean is set, filter it. * This is a helper function to retrieve values from global arrays * This is a help function used to retrieve values from global arrays ** @ accessprivate * @ paramarray *@ paramstring * @ parambool * @ returnstring */function _ fetch_from_array (& $ Array, $ index = '', $ xss_clean = FALSE) {if (! Isset ($ array [$ index]) {return FALSE;} if ($ xss_clean = TRUE) {return $ this-> security-> xss_clean ($ array [$ index]);} return $ array [$ index];} // --------------------------------/*** Fetch an item from the GET array * GET the filtered get array * @ accesspublic * @ paramstring * @ parambool * @ returnstring */function GET ($ index GET = NULL, $ xss_clean = FALSE) {// Check if a field has been provided // Check whether a field has been provided if ($ index = NULL) AND! Empty ($ _ GET) {$ get = array (); // loop through the full _ GET array // traverse _ GET array foreach (array_keys ($ _ GET) as $ key) {$ get [$ key] = $ this-> _ fetch_from_array ($ _ GET, $ key, $ xss_clean);} return $ get ;} return $ this-> _ fetch_from_array ($ _ GET, $ index, $ xss_clean );} // --------------------------------/*** Fetch an item from the POST array * get the filtered $ _ POST value * @ accesspublic * @ paramstring * @ parambool * @ returnstring */functi On post ($ index = NULL, $ xss_clean = FALSE) {// Check if a field has been providedif ($ index = null and! Empty ($ _ POST) {$ post = array (); // Loop through the full _ POST array and return itforeach (array_keys ($ _ POST) as $ key) {$ post [$ key] = $ this-> _ fetch_from_array ($ _ POST, $ key, $ xss_clean);} return $ post ;} return $ this-> _ fetch_from_array ($ _ POST, $ index, $ xss_clean );} // --------------------------------/*** Fetch an item from either the GET array or the POST * get the value from GET and post, post first * @ accesspublic * @ paramstri NgThe index key * @ paramboolXSS cleaning * @ returnstring */function get_post ($ index = '', $ xss_clean = FALSE) {if (! Isset ($ _ POST [$ index]) {return $ this-> get ($ index, $ xss_clean);} else {return $ this-> post ($ index, $ xss_clean );}} // ------------------------------/*** Fetch an item from the COOKIE array * returns the filtered COOKIE value * @ accesspublic * @ paramstring * @ parambool * @ returnstring */function cookie ($ index = '', $ xss_clean = FALSE) {return $ this-> _ fetch_from_array ($ _ COOKIE, $ index, $ xss_clean );}//---------------------------- --------/*** Set cookie ** Accepts six parameter, or you can submit an associative * array in the first parameter containing all the values. * receive 6 parameters or receive all values in an associated array * @ accesspublic * @ parammixed * @ paramstringthe value of the cookie * @ paramstringthe number of seconds until expiration * @ paramstringthe cookie domain. usually: .yourdomain.com * @ paramstringthe cookie path * @ paramstringthe cookie prefix * @ Parambooltrue makes the cookie secure * @ returnvoid */function set_cookie ($ name = '', $ value ='', $ expire = '', $ domain = '', $ path = '/', $ prefix = '', $ secure = FALSE) {// if the first value is an array, assign the values in the array to the parameter if (is_array ($ name) {// always leave 'name' in last place, as the loop will break otherwise, due to $ itemforeach (array ('value', 'expire ', 'domain', 'path', 'prefix', 'Secure ', 'name') as $ item) {if (is Set ($ name [$ item]) {$ item = $ name [$ item] ;}}// if a parameter is the default value but config. the configuration in php is not the default value // use config. php configuration value if ($ prefix = ''AND config_item ('cookie _ prefix ')! = '') {$ Prefix = config_item ('cookie _ prefix');} if ($ domain ='' AND config_item ('cookie _ domain ')! = '') {$ Domain = config_item ('cookie _ domain ');} if ($ path ='/'AND config_item ('cookie _ path ')! = '/') {$ Path = config_item ('cookie _ path');} if ($ secure = false and config_item ('cookie _ secure ')! = FALSE) {$ secure = config_item ('cookie _ secure ');} if (! Is_numeric ($ expire) {$ expire = time ()-86500;} else {$ expire = ($ expire> 0 )? Time () + $ expire: 0;} setcookie ($ prefix. $ name, $ value, $ expire, $ path, $ domain, $ secure );} // ------------------------------/*** Fetch an item from the SERVER array * returns the filtered $ _ SERVER value * @ accesspublic * @ paramstring * @ parambool * @ returnstring */function server ($ index = '', $ xss_clean = FALSE) {return $ this-> _ fetch_from_array ($ _ SERVER, $ index, $ xss_clean);} // ----------------------------/*** Fetch th E IP Address * returns the IP Address of the current user. If the IP address is invalid, the 0.0.0.0 IP address is returned: * @ returnstring */public function ip_address () {// if ip_address already exists, if ($ this-> ip_address! = FALSE) {return $ this-> ip_address;} $ proxy_ips = config_item ('proxy _ IP'); if (! Empty ($ proxy_ips) {$ proxy_ips = explode (',', str_replace ('','', $ proxy_ips); foreach (array ('http _ X_FORWARDED_FOR ', 'http _ CLIENT_IP ', 'http _ X_CLIENT_IP', 'http _ X_CLUSTER_CLIENT_IP ') as $ header) {if ($ spoof = $ this-> server ($ header ))! = FALSE) {// Some proxies typically list the whole chain of IP // addresses through which the client has reached us. // e.g. client_ip, proxy_ip1, proxy_ip2, etc. if (strpos ($ spoof ,',')! = FALSE) {$ spoof = explode (',', $ spoof, 2); $ spoof = $ spoof [0];} if (! $ This-> valid_ip ($ spoof) {$ spoof = FALSE;} else {break ;}}$ this-> ip_address = ($ spoof! = FALSE & in_array ($ _ SERVER ['remote _ ADDR '], $ proxy_ips, TRUE ))? $ Spoof: $ _ SERVER ['remote _ ADDR '];} else {$ this-> ip_address = $ _ SERVER ['remote _ ADDR'];} if (! $ This-> valid_ip ($ this-> ip_address) {$ this-> ip_address = '0. 0.0.0 ';} return $ this-> ip_address;} // --------------------------------/*** Validate IP Address * to test whether the entered IP Address is valid. return a Boolean value of TRUE or FALSE. * Note: $ this-> input-> ip_address () automatically tests whether the input IP address format is valid. * @ Accesspublic * @ paramstring * @ paramstringipv4 or ipv6 * @ returnbool */public function valid_ip ($ ip, $ which = '') {$ which = strtolower ($ which ); // First check if filter_var is availableif (is_callable ('filter _ var') {switch ($ which) {case 'ipv4 ': $ flag = FILTER_FLAG_IPV4; break; case 'ipv6 ': $ flag = FILTER_FLAG_IPV6; break; default: $ flag = ''; break;} return (bool) filter_var ($ ip, FILTER_VALIDATE_IP, $ flag);} I F ($ which! = 'Ipv6 '& $ which! = 'Ipv4 ') {if (strpos ($ ip ,':')! = FALSE) {$ which = 'ipv6 ';} elseif (strpos ($ ip ,'.')! = FALSE) {$ which = 'ipv4 ';} else {return FALSE ;}}$ func =' _ valid _'. $ which; return $ this-> $ func ($ ip );} // Validate/*** Validate IPv4 Address * verify ipv4 Address * Updated version suggested by Geert De Deckere ** @ accessprotected * @ paramstring * @ returnbool */protected function _ valid_ipv4 ($ ip) {$ ip_segments = explode ('. ', $ ip); // Always 4 segments neededif (count ($ ip_segments )! = 4) {return FALSE;} // IP can not start with 0if ($ ip_segments [0] [0] = '0') {return FALSE ;} // Check each segmentforeach ($ ip_segments as $ segment) {// IP segments must be digits and can not be // longer than 3 digits or greater then 255if ($ segment = ''OR preg_match ("/[^ 0-9] /", $ segment) OR $ segment> 255 OR strlen ($ segment)> 3) {return FALSE;} return TRUE;} // ----------------------------/*** V Alidate IPv6 Address * verify ipv6 Address * @ accessprotected * @ paramstring * @ returnbool */protected function _ valid_ipv6 ($ str) {// 8 groups, separated: // 0-ffff per group // one set of consecutive 0 groups can be collapsed to: $ groups = 8; $ collapsed = FALSE; $ chunks = array_filter (preg_split ('/(: {1, 2})/', $ str, NULL, PREG_SPLIT_DELIM_CAPTURE); // Rule out easy nonsenseif (current ($ chunks) =': 'OR end ($ chun Ks) = ':') {return FALSE;} // PHP supports IPv4-mapped IPv6 addresses, so we'll keep Ct those as wellif (strpos (end ($ chunks ),'. ')! = FALSE) {$ ipv4 = array_pop ($ chunks); if (! $ This-> _ valid_ipv4 ($ ipv4) {return FALSE;} $ groups --;} while ($ seg = array_pop ($ chunks )) {if ($ seg [0] = ':') {if (-- $ groups = 0) {return FALSE; // too then groups} if (strlen ($ seg)> 2) {return FALSE; // long separator} if ($ seg = '::') {if ($ collapsed) {return FALSE; // multiple collapsed} $ collapsed = TRUE ;}} elseif (preg_match ("/[^ 0-9a-f]/I", $ seg) OR strlen ($ seg)> 4) {return FALSE; // invalid segment} retu Rn $ collapsed OR $ groups = 1;} // --------------------------------/*** User Agent ** returns the user agent information of the browser in use by the current User. If data cannot be obtained, FALSE is returned. * Generally, when user_agent is empty, it is regarded as a mobile phone access, or a curl capture, or the spider crawls * @ accesspublic * @ returnstring */function user_agent () {if ($ this-> user_agent! = FALSE) {return $ this-> user_agent;} $ this-> user_agent = (! Isset ($ _ SERVER ['http _ USER_AGENT '])? FALSE: $ _ SERVER ['http _ USER_AGENT ']; return $ this-> user_agent ;} // --------------------------------/*** Sanitize Globals * clears the global array * This function does the following: * This function performs the following operations: * Unsets $ _ GET data (if query strings are not enabled) * destroy $ _ GET (if query strings is not enabled) * Unsets all globals if register_globals is enabled * destroy all global arrays if register_globals is enabled ** Standardizes newline characters to \ n * standardized line break \ n * @ acces Sprivate * @ returnvoid */function _ sanitize_globals () {// It wocould be "wrong" to unset any of these GLOBALS. // It will be wrong to destroy the global array below. $ Protected = array ('_ server',' _ get', '_ post',' _ FILES ',' _ request', '_ SESSION', '_ env ', 'globals', 'http _ RAW_POST_DATA ', 'system _ folder', 'application _ folder', 'bm', 'ext ', 'cfg', 'uri ', 'RT', 'out', 'in'); // Unset globals for securiy. to safely destroy the global array except the above one // This is already tively the same as register_globals = off // This effect is the same as register_globals // after the following processing, all unprotected global variables will be deleted foreach (array ($ _ GET, $ _ POST, $ _ COOK IE) as $ global) {if (! Is_array ($ global) {if (! In_array ($ global, $ protected) {global $ global; $ global = NULL;} else {foreach ($ global as $ key => $ val) {if (! In_array ($ key, $ protected) {global $ key; $ key = NULL ;}}// Is $ _ GET data allowed? If not we'll set the $ _ GET to an empty array // do you want to allow $ _ GET data? If not, set $ _ GET to an empty array if ($ this-> _ allow_get_array = FALSE) {$ _ GET = array ();} else {if (is_array ($ _ GET) AND count ($ _ GET)> 0) {foreach ($ _ GET as $ key => $ val) {$ _ GET [$ this-> _ clean_input_keys ($ key)] = $ this-> _ clean_input_data ($ val );}}} // Clean $ _ POST Data // filter $ _ POST array if (is_array ($ _ POST) AND count ($ _ POST)> 0) {foreach ($ _ POST as $ key => $ val) {$ _ POST [$ this-> _ clean_input_keys ($ key)] = $ this-> _ clean_input_data ($ val) ;}// Clean $ _ COOKIE Data // filter $ _ COOKIE array if (is_array ($ _ COOKIE) AND count ($ _ COOKIE)> 0) {// Also get rid of specially treated cookies that might be set by a server // or silly application, that are of no use to a CI application anyway // but that when present will trip our 'disallowed Key Characters 'alarm // http://www.ietf.org/rfc/rfc2109.txt// Note that the key names below are single quoted strings, and are not PHP variablesunset ($ _ COOKIE ['$ version']); unset ($ _ COOKIE ['$ path']); unset ($ _ COOKIE [' $ Domain ']); foreach ($ _ COOKIE as $ key => $ val) {$ _ COOKIE [$ this-> _ clean_input_keys ($ key)] = $ this-> _ clean_input_data ($ val );}} // Sanitize PHP_SELF $ _ SERVER ['php _ SELF '] = strip_tags ($ _ SERVER ['php _ SELF']); // CSRF Protection check on HTTP requests // CSRF Protection detection Http request if ($ this-> _ enable_csrf = TRUE &&! $ This-> is_cli_request () {$ this-> security-> csrf_verify ();} log_message ('debug', "Global POST and COOKIE data sanitized ");} // --------------------------------/*** Clean Input Data * filter input Data ** This is a helper function. it escapes data and * standardizes newline characters to \ n ** @ accessprivate * @ paramstring * @ returnstring */function _ clean_input_data ($ str) {if (is_array ($ str )) {$ new_array = array (); fore Ach ($ str as $ key => $ val) {$ new_array [$ this-> _ clean_input_keys ($ key)] = $ this-> _ clean_input_data ($ val );} return $ new_array;}/* We strip slashes if magic quotes is on to keep things consistent if it is earlier than PHP5.4 and get_magic_quotes_gpc is enabled, the diagonal line is removed. NOTE: In PHP 5.4 get_magic_quotes_gpc () will always return 0 and it will probably not exist in future versions at all. Note: in PHP5.4 and later versions, get_magic_quotes_gpc () always returns 0. this feature may be removed in later versions */if (! Is_php ('5. 4 ') & get_magic_quotes_gpc () {$ str = stripslashes ($ str);} // Clean UTF-8 if supported is supported if utf8if (UTF8_ENABLED = TRUE) {$ str = $ this-> uni-> clean_string ($ str);} // Remove control characters $ str = remove_invisible_characters ($ str ); // shocould we filter the input data? If ($ this-> _ enable_xss === TRUE) {$ str = $ this-> security-> xss_clean ($ str );} // Standardize newlines if neededif ($ this-> _ standardize_newlines = TRUE) {if (strpos ($ str, "\ r ")! = FALSE) {$ str = str_replace (array ("\ r \ n", "\ r", "\ r \ n"), PHP_EOL, $ str) ;}} return $ str;} // --------------------------------/*** Clean Keys * filter key value ** This is a helper function. to prevent malicious users * from trying to exploit keys we make sure that keys are * only named with alpha-numeric text and a few other items. ** @ accessprivate * @ paramstring * @ returnstring */function _ clean_input_keys ($ str) {if (! Preg_match ("/^ [a-z0-9: _ \/-] + $/I", $ str) {exit ('disallowed Key Characters. ');} // Clean UTF-8 if supportedif (UTF8_ENABLED === TRUE) {$ str = $ this-> uni-> clean_string ($ str);} return $ str ;} // --------------------------------/*** Request Headers * returns the Request header array. * In Apache, you can simply call apache_request_headers (), however for * people running other webservers the function is undefined. ** @ parambool XSS cleaning ** @ return array */public function request_headers ($ xss_clean = FALSE) {// Look at Apache go! If (function_exists ('Apache _ request_headers') {$ headers = apache_request_headers ();} else {$ headers ['content-type'] = (isset ($ _ SERVER ['content _ type'])? $ _ SERVER ['content _ type']: @ getenv ('content _ type'); foreach ($ _ SERVER as $ key => $ val) {if (strncmp ($ key, 'http _ ', 5) === 0) {$ headers [substr ($ key, 5)] = $ this-> _ fetch_from_array ($ _ SERVER, $ key, $ xss_clean );}}} // take SOME_HEADER and turn it into Some-Headerforeach ($ headers as $ key => $ val) {$ key = str_replace ('_','', strtolower ($ key); $ key = str_replace ('', '-', ucwords ($ key); $ this-> headers [$ key] = $ Val;} return $ this-> headers;} // --------------------------------/*** Get Request Header * return request header (Request Header) value of an element in the array * Returns the value of a single member of the headers class member ** @ param stringarray key for $ this-> headers * @ parambooleanXSS Clean or not * @ return mixedFALSE on failure, string on success */public function get_request_header ($ index, $ xss_clean = FALSE) {if (empty ($ t His-> headers) {$ this-> request_headers ();} if (! Isset ($ this-> headers [$ index]) {return FALSE;} if ($ xss_clean = TRUE) {return $ this-> security-> xss_clean ($ this-> headers [$ index]);} return $ this-> headers [$ index];} // --------------------------------/*** Is ajax Request? * Determine whether an ajax request * Test to see if a request contains the HTTP_X_REQUESTED_WITH header ** @ return boolean */public function is_ajax_request () {return ($ this-> server ('http _ X_REQUESTED_WITH ') === 'xmlhttprequest');} // ------------------------------/*** Is cli Request? * Determine whether a cli request * Test to see if a request was made from the command line ** @ return bool */public function is_cli_request () {return (php_sapi_name () === 'cli 'OR defined ('stdin');}/* End of file Input. php * // * Location :. /system/core/Input. php */