CI framework source code-Input. php

Source: Internet
Author: User
Tags control characters server array set cookie
CI framework source code reading --------- Input. php & lt ;? Phpif (! Defined ('basepath') exit ('nodirectscriptaccessallowed');/*** CodeIgniter *** Anopensourcea CI framework source code reading ------- Input. php
 _ Allow_get_array = (config_item ('allow _ get_array ') = TRUE); $ this-> _ enable_xss = (config_item ('global _ xss_filtering') = TRUE ); $ this-> _ enable_csrf = (config_item ('csrf _ protection ') = TRUE); // clear the globals variable. when globals_register is enabled, this configuration is disabled. // Enable a security protection global $ SEC; $ this-> security = & $ SEC; // Do we need the UTF-8 class? If (UTF8_ENABLED === TRUE) {global $ UNI; $ this-> uni = & $ UNI;} // Sanitize global arrays $ this-> _ sanitize_globals ();} // --------------------------------/*** Fetch from array * get the value from $ array, if xss_clean is set, filter it. * This is a helper function to retrieve values from global arrays * This is a help function used to retrieve values from global arrays ** @ accessprivate * @ paramarray *@ paramstring * @ parambool * @ returnstring */function _ fetch_from_array (& $ Array, $ index = '', $ xss_clean = FALSE) {if (! Isset ($ array [$ index]) {return FALSE;} if ($ xss_clean = TRUE) {return $ this-> security-> xss_clean ($ array [$ index]);} return $ array [$ index];} // --------------------------------/*** Fetch an item from the GET array * GET the filtered get array * @ accesspublic * @ paramstring * @ parambool * @ returnstring */function GET ($ index GET = NULL, $ xss_clean = FALSE) {// Check if a field has been provided // Check whether a field has been provided if ($ index = NULL) AND! Empty ($ _ GET) {$ get = array (); // loop through the full _ GET array // traverse _ GET array foreach (array_keys ($ _ GET) as $ key) {$ get [$ key] = $ this-> _ fetch_from_array ($ _ GET, $ key, $ xss_clean);} return $ get ;} return $ this-> _ fetch_from_array ($ _ GET, $ index, $ xss_clean );} // --------------------------------/*** Fetch an item from the POST array * get the filtered $ _ POST value * @ accesspublic * @ paramstring * @ parambool * @ returnstring */functi On post ($ index = NULL, $ xss_clean = FALSE) {// Check if a field has been providedif ($ index = null and! Empty ($ _ POST) {$ post = array (); // Loop through the full _ POST array and return itforeach (array_keys ($ _ POST) as $ key) {$ post [$ key] = $ this-> _ fetch_from_array ($ _ POST, $ key, $ xss_clean);} return $ post ;} return $ this-> _ fetch_from_array ($ _ POST, $ index, $ xss_clean );} // --------------------------------/*** Fetch an item from either the GET array or the POST * get the value from GET and post, post first * @ accesspublic * @ paramstri NgThe index key * @ paramboolXSS cleaning * @ returnstring */function get_post ($ index = '', $ xss_clean = FALSE) {if (! Isset ($ _ POST [$ index]) {return $ this-> get ($ index, $ xss_clean);} else {return $ this-> post ($ index, $ xss_clean );}} // ------------------------------/*** Fetch an item from the COOKIE array * returns the filtered COOKIE value * @ accesspublic * @ paramstring * @ parambool * @ returnstring */function cookie ($ index = '', $ xss_clean = FALSE) {return $ this-> _ fetch_from_array ($ _ COOKIE, $ index, $ xss_clean );}//---------------------------- --------/*** Set cookie ** Accepts six parameter, or you can submit an associative * array in the first parameter containing all the values. * receive 6 parameters or receive all values in an associated array * @ accesspublic * @ parammixed * @ paramstringthe value of the cookie * @ paramstringthe number of seconds until expiration * @ paramstringthe cookie domain. usually: .yourdomain.com * @ paramstringthe cookie path * @ paramstringthe cookie prefix * @ Parambooltrue makes the cookie secure * @ returnvoid */function set_cookie ($ name = '', $ value ='', $ expire = '', $ domain = '', $ path = '/', $ prefix = '', $ secure = FALSE) {// if the first value is an array, assign the values in the array to the parameter if (is_array ($ name) {// always leave 'name' in last place, as the loop will break otherwise, due to $ itemforeach (array ('value', 'expire ', 'domain', 'path', 'prefix', 'Secure ', 'name') as $ item) {if (is Set ($ name [$ item]) {$ item = $ name [$ item] ;}}// if a parameter is the default value but config. the configuration in php is not the default value // use config. php configuration value if ($ prefix = ''AND config_item ('cookie _ prefix ')! = '') {$ Prefix = config_item ('cookie _ prefix');} if ($ domain ='' AND config_item ('cookie _ domain ')! = '') {$ Domain = config_item ('cookie _ domain ');} if ($ path ='/'AND config_item ('cookie _ path ')! = '/') {$ Path = config_item ('cookie _ path');} if ($ secure = false and config_item ('cookie _ secure ')! = FALSE) {$ secure = config_item ('cookie _ secure ');} if (! Is_numeric ($ expire) {$ expire = time ()-86500;} else {$ expire = ($ expire> 0 )? Time () + $ expire: 0;} setcookie ($ prefix. $ name, $ value, $ expire, $ path, $ domain, $ secure );} // ------------------------------/*** Fetch an item from the SERVER array * returns the filtered $ _ SERVER value * @ accesspublic * @ paramstring * @ parambool * @ returnstring */function server ($ index = '', $ xss_clean = FALSE) {return $ this-> _ fetch_from_array ($ _ SERVER, $ index, $ xss_clean);} // ----------------------------/*** Fetch th E IP Address * returns the IP Address of the current user. If the IP address is invalid, the 0.0.0.0 IP address is returned: * @ returnstring */public function ip_address () {// if ip_address already exists, if ($ this-> ip_address! = FALSE) {return $ this-> ip_address;} $ proxy_ips = config_item ('proxy _ IP'); if (! Empty ($ proxy_ips) {$ proxy_ips = explode (',', str_replace ('','', $ proxy_ips); foreach (array ('http _ X_FORWARDED_FOR ', 'http _ CLIENT_IP ', 'http _ X_CLIENT_IP', 'http _ X_CLUSTER_CLIENT_IP ') as $ header) {if ($ spoof = $ this-> server ($ header ))! = FALSE) {// Some proxies typically list the whole chain of IP // addresses through which the client has reached us. // e.g. client_ip, proxy_ip1, proxy_ip2, etc. if (strpos ($ spoof ,',')! = FALSE) {$ spoof = explode (',', $ spoof, 2); $ spoof = $ spoof [0];} if (! $ This-> valid_ip ($ spoof) {$ spoof = FALSE;} else {break ;}}$ this-> ip_address = ($ spoof! = FALSE & in_array ($ _ SERVER ['remote _ ADDR '], $ proxy_ips, TRUE ))? $ Spoof: $ _ SERVER ['remote _ ADDR '];} else {$ this-> ip_address = $ _ SERVER ['remote _ ADDR'];} if (! $ This-> valid_ip ($ this-> ip_address) {$ this-> ip_address = '0. 0.0.0 ';} return $ this-> ip_address;} // --------------------------------/*** Validate IP Address * to test whether the entered IP Address is valid. return a Boolean value of TRUE or FALSE. * Note: $ this-> input-> ip_address () automatically tests whether the input IP address format is valid. * @ Accesspublic * @ paramstring * @ paramstringipv4 or ipv6 * @ returnbool */public function valid_ip ($ ip, $ which = '') {$ which = strtolower ($ which ); // First check if filter_var is availableif (is_callable ('filter _ var') {switch ($ which) {case 'ipv4 ': $ flag = FILTER_FLAG_IPV4; break; case 'ipv6 ': $ flag = FILTER_FLAG_IPV6; break; default: $ flag = ''; break;} return (bool) filter_var ($ ip, FILTER_VALIDATE_IP, $ flag);} I F ($ which! = 'Ipv6 '& $ which! = 'Ipv4 ') {if (strpos ($ ip ,':')! = FALSE) {$ which = 'ipv6 ';} elseif (strpos ($ ip ,'.')! = FALSE) {$ which = 'ipv4 ';} else {return FALSE ;}}$ func =' _ valid _'. $ which; return $ this-> $ func ($ ip );} // Validate/*** Validate IPv4 Address * verify ipv4 Address * Updated version suggested by Geert De Deckere ** @ accessprotected * @ paramstring * @ returnbool */protected function _ valid_ipv4 ($ ip) {$ ip_segments = explode ('. ', $ ip); // Always 4 segments neededif (count ($ ip_segments )! = 4) {return FALSE;} // IP can not start with 0if ($ ip_segments [0] [0] = '0') {return FALSE ;} // Check each segmentforeach ($ ip_segments as $ segment) {// IP segments must be digits and can not be // longer than 3 digits or greater then 255if ($ segment = ''OR preg_match ("/[^ 0-9] /", $ segment) OR $ segment> 255 OR strlen ($ segment)> 3) {return FALSE;} return TRUE;} // ----------------------------/*** V Alidate IPv6 Address * verify ipv6 Address * @ accessprotected * @ paramstring * @ returnbool */protected function _ valid_ipv6 ($ str) {// 8 groups, separated: // 0-ffff per group // one set of consecutive 0 groups can be collapsed to: $ groups = 8; $ collapsed = FALSE; $ chunks = array_filter (preg_split ('/(: {1, 2})/', $ str, NULL, PREG_SPLIT_DELIM_CAPTURE); // Rule out easy nonsenseif (current ($ chunks) =': 'OR end ($ chun Ks) = ':') {return FALSE;} // PHP supports IPv4-mapped IPv6 addresses, so we'll keep Ct those as wellif (strpos (end ($ chunks ),'. ')! = FALSE) {$ ipv4 = array_pop ($ chunks); if (! $ This-> _ valid_ipv4 ($ ipv4) {return FALSE;} $ groups --;} while ($ seg = array_pop ($ chunks )) {if ($ seg [0] = ':') {if (-- $ groups = 0) {return FALSE; // too then groups} if (strlen ($ seg)> 2) {return FALSE; // long separator} if ($ seg = '::') {if ($ collapsed) {return FALSE; // multiple collapsed} $ collapsed = TRUE ;}} elseif (preg_match ("/[^ 0-9a-f]/I", $ seg) OR strlen ($ seg)> 4) {return FALSE; // invalid segment} retu Rn $ collapsed OR $ groups = 1;} // --------------------------------/*** User Agent ** returns the user agent information of the browser in use by the current User. If data cannot be obtained, FALSE is returned. * Generally, when user_agent is empty, it is regarded as a mobile phone access, or a curl capture, or the spider crawls * @ accesspublic * @ returnstring */function user_agent () {if ($ this-> user_agent! = FALSE) {return $ this-> user_agent;} $ this-> user_agent = (! Isset ($ _ SERVER ['http _ USER_AGENT '])? FALSE: $ _ SERVER ['http _ USER_AGENT ']; return $ this-> user_agent ;} // --------------------------------/*** Sanitize Globals * clears the global array * This function does the following: * This function performs the following operations: * Unsets $ _ GET data (if query strings are not enabled) * destroy $ _ GET (if query strings is not enabled) * Unsets all globals if register_globals is enabled * destroy all global arrays if register_globals is enabled ** Standardizes newline characters to \ n * standardized line break \ n * @ acces Sprivate * @ returnvoid */function _ sanitize_globals () {// It wocould be "wrong" to unset any of these GLOBALS. // It will be wrong to destroy the global array below. $ Protected = array ('_ server',' _ get', '_ post',' _ FILES ',' _ request', '_ SESSION', '_ env ', 'globals', 'http _ RAW_POST_DATA ', 'system _ folder', 'application _ folder', 'bm', 'ext ', 'cfg', 'uri ', 'RT', 'out', 'in'); // Unset globals for securiy. to safely destroy the global array except the above one // This is already tively the same as register_globals = off // This effect is the same as register_globals // after the following processing, all unprotected global variables will be deleted foreach (array ($ _ GET, $ _ POST, $ _ COOK IE) as $ global) {if (! Is_array ($ global) {if (! In_array ($ global, $ protected) {global $ global; $ global = NULL;} else {foreach ($ global as $ key => $ val) {if (! In_array ($ key, $ protected) {global $ key; $ key = NULL ;}}// Is $ _ GET data allowed? If not we'll set the $ _ GET to an empty array // do you want to allow $ _ GET data? If not, set $ _ GET to an empty array if ($ this-> _ allow_get_array = FALSE) {$ _ GET = array ();} else {if (is_array ($ _ GET) AND count ($ _ GET)> 0) {foreach ($ _ GET as $ key => $ val) {$ _ GET [$ this-> _ clean_input_keys ($ key)] = $ this-> _ clean_input_data ($ val );}}} // Clean $ _ POST Data // filter $ _ POST array if (is_array ($ _ POST) AND count ($ _ POST)> 0) {foreach ($ _ POST as $ key => $ val) {$ _ POST [$ this-> _ clean_input_keys ($ key)] = $ this-> _ clean_input_data ($ val) ;}// Clean $ _ COOKIE Data // filter $ _ COOKIE array if (is_array ($ _ COOKIE) AND count ($ _ COOKIE)> 0) {// Also get rid of specially treated cookies that might be set by a server // or silly application, that are of no use to a CI application anyway // but that when present will trip our 'disallowed Key Characters 'alarm // http://www.ietf.org/rfc/rfc2109.txt// Note that the key names below are single quoted strings, and are not PHP variablesunset ($ _ COOKIE ['$ version']); unset ($ _ COOKIE ['$ path']); unset ($ _ COOKIE [' $ Domain ']); foreach ($ _ COOKIE as $ key => $ val) {$ _ COOKIE [$ this-> _ clean_input_keys ($ key)] = $ this-> _ clean_input_data ($ val );}} // Sanitize PHP_SELF $ _ SERVER ['php _ SELF '] = strip_tags ($ _ SERVER ['php _ SELF']); // CSRF Protection check on HTTP requests // CSRF Protection detection Http request if ($ this-> _ enable_csrf = TRUE &&! $ This-> is_cli_request () {$ this-> security-> csrf_verify ();} log_message ('debug', "Global POST and COOKIE data sanitized ");} // --------------------------------/*** Clean Input Data * filter input Data ** This is a helper function. it escapes data and * standardizes newline characters to \ n ** @ accessprivate * @ paramstring * @ returnstring */function _ clean_input_data ($ str) {if (is_array ($ str )) {$ new_array = array (); fore Ach ($ str as $ key => $ val) {$ new_array [$ this-> _ clean_input_keys ($ key)] = $ this-> _ clean_input_data ($ val );} return $ new_array;}/* We strip slashes if magic quotes is on to keep things consistent if it is earlier than PHP5.4 and get_magic_quotes_gpc is enabled, the diagonal line is removed. NOTE: In PHP 5.4 get_magic_quotes_gpc () will always return 0 and it will probably not exist in future versions at all. Note: in PHP5.4 and later versions, get_magic_quotes_gpc () always returns 0. this feature may be removed in later versions */if (! Is_php ('5. 4 ') & get_magic_quotes_gpc () {$ str = stripslashes ($ str);} // Clean UTF-8 if supported is supported if utf8if (UTF8_ENABLED = TRUE) {$ str = $ this-> uni-> clean_string ($ str);} // Remove control characters $ str = remove_invisible_characters ($ str ); // shocould we filter the input data? If ($ this-> _ enable_xss === TRUE) {$ str = $ this-> security-> xss_clean ($ str );} // Standardize newlines if neededif ($ this-> _ standardize_newlines = TRUE) {if (strpos ($ str, "\ r ")! = FALSE) {$ str = str_replace (array ("\ r \ n", "\ r", "\ r \ n"), PHP_EOL, $ str) ;}} return $ str;} // --------------------------------/*** Clean Keys * filter key value ** This is a helper function. to prevent malicious users * from trying to exploit keys we make sure that keys are * only named with alpha-numeric text and a few other items. ** @ accessprivate * @ paramstring * @ returnstring */function _ clean_input_keys ($ str) {if (! Preg_match ("/^ [a-z0-9: _ \/-] + $/I", $ str) {exit ('disallowed Key Characters. ');} // Clean UTF-8 if supportedif (UTF8_ENABLED === TRUE) {$ str = $ this-> uni-> clean_string ($ str);} return $ str ;} // --------------------------------/*** Request Headers * returns the Request header array. * In Apache, you can simply call apache_request_headers (), however for * people running other webservers the function is undefined. ** @ parambool XSS cleaning ** @ return array */public function request_headers ($ xss_clean = FALSE) {// Look at Apache go! If (function_exists ('Apache _ request_headers') {$ headers = apache_request_headers ();} else {$ headers ['content-type'] = (isset ($ _ SERVER ['content _ type'])? $ _ SERVER ['content _ type']: @ getenv ('content _ type'); foreach ($ _ SERVER as $ key => $ val) {if (strncmp ($ key, 'http _ ', 5) === 0) {$ headers [substr ($ key, 5)] = $ this-> _ fetch_from_array ($ _ SERVER, $ key, $ xss_clean );}}} // take SOME_HEADER and turn it into Some-Headerforeach ($ headers as $ key => $ val) {$ key = str_replace ('_','', strtolower ($ key); $ key = str_replace ('', '-', ucwords ($ key); $ this-> headers [$ key] = $ Val;} return $ this-> headers;} // --------------------------------/*** Get Request Header * return request header (Request Header) value of an element in the array * Returns the value of a single member of the headers class member ** @ param stringarray key for $ this-> headers * @ parambooleanXSS Clean or not * @ return mixedFALSE on failure, string on success */public function get_request_header ($ index, $ xss_clean = FALSE) {if (empty ($ t His-> headers) {$ this-> request_headers ();} if (! Isset ($ this-> headers [$ index]) {return FALSE;} if ($ xss_clean = TRUE) {return $ this-> security-> xss_clean ($ this-> headers [$ index]);} return $ this-> headers [$ index];} // --------------------------------/*** Is ajax Request? * Determine whether an ajax request * Test to see if a request contains the HTTP_X_REQUESTED_WITH header ** @ return boolean */public function is_ajax_request () {return ($ this-> server ('http _ X_REQUESTED_WITH ') === 'xmlhttprequest');} // ------------------------------/*** Is cli Request? * Determine whether a cli request * Test to see if a request was made from the command line ** @ return bool */public function is_cli_request () {return (php_sapi_name () === 'cli 'OR defined ('stdin');}/* End of file Input. php * // * Location :. /system/core/Input. php */

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.