diff options
author | Andrey Andreev <narf@devilix.net> | 2019-01-16 16:49:35 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2019-01-16 16:49:35 +0100 |
commit | c576995304fc3609cca0b7b92d1b2cd611ec82f5 (patch) | |
tree | c8b9121cb295b56bbabe3aeaad0a3eb1f2d390bb /user_guide_src/source/libraries/input.rst | |
parent | 4eaf80a6ec0b58a0adc95638153363e00ebf5378 (diff) |
[ci skip] 3.1.10 release
Diffstat (limited to 'user_guide_src/source/libraries/input.rst')
-rw-r--r-- | user_guide_src/source/libraries/input.rst | 474 |
1 files changed, 0 insertions, 474 deletions
diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst deleted file mode 100644 index 300f47112..000000000 --- a/user_guide_src/source/libraries/input.rst +++ /dev/null @@ -1,474 +0,0 @@ -########### -Input Class -########### - -The Input Class serves two purposes: - -#. It pre-processes global input data for security. -#. It provides some helper methods for fetching input data and pre-processing it. - -.. note:: This class is initialized automatically by the system so there - is no need to do it manually. - -.. contents:: - :local: - -.. raw:: html - - <div class="custom-index container"></div> - -*************** -Input Filtering -*************** - -Security Filtering -================== - -The security filtering method is called automatically when a new -:doc:`controller <../general/controllers>` is invoked. It does the -following: - -- If ``$config['allow_get_array']`` is FALSE (default is TRUE), destroys - the global GET array. -- Destroys all global variables in the event register_globals is - turned on. -- Filters the GET/POST/COOKIE array keys, permitting only alpha-numeric - (and a few other) characters. -- Provides XSS (Cross-site Scripting Hacks) filtering. This can be - enabled globally, or upon request. -- Standardizes newline characters to ``PHP_EOL`` (\\n in UNIX-based OSes, - \\r\\n under Windows). This is configurable. - -XSS Filtering -============= - -The Input class has the ability to filter input automatically to prevent -cross-site scripting attacks. If you want the filter to run -automatically every time it encounters POST or COOKIE data you can -enable it by opening your *application/config/config.php* file and setting -this:: - - $config['global_xss_filtering'] = TRUE; - -Please refer to the :doc:`Security class <security>` documentation for -information on using XSS Filtering in your application. - -.. important:: The 'global_xss_filtering' setting is DEPRECATED and kept - solely for backwards-compatibility purposes. XSS escaping should - be performed on *output*, not *input*! - -******************* -Accessing form data -******************* - -Using POST, GET, COOKIE, or SERVER Data -======================================= - -CodeIgniter comes with helper methods that let you fetch POST, GET, -COOKIE or SERVER items. The main advantage of using the provided -methods rather than fetching an item directly (``$_POST['something']``) -is that the methods will check to see if the item is set and return -NULL if not. This lets you conveniently use data without -having to test whether an item exists first. In other words, normally -you might do something like this:: - - $something = isset($_POST['something']) ? $_POST['something'] : NULL; - -With CodeIgniter's built in methods you can simply do this:: - - $something = $this->input->post('something'); - -The main methods are: - -- ``$this->input->post()`` -- ``$this->input->get()`` -- ``$this->input->cookie()`` -- ``$this->input->server()`` - -Using the php://input stream -============================ - -If you want to utilize the PUT, DELETE, PATCH or other exotic request -methods, they can only be accessed via a special input stream, that -can only be read once. This isn't as easy as just reading from e.g. -the ``$_POST`` array, because it will always exist and you can try -and access multiple variables without caring that you might only have -one shot at all of the POST data. - -CodeIgniter will take care of that for you, and you can read the data -from the **php://input** stream at any time, just by using the -``$raw_input_stream`` property:: - - $this->input->raw_input_stream; - -Additionally if the input stream is form-encoded like $_POST you can -access its values by calling the -``input_stream()`` method:: - - $this->input->input_stream('key'); - -Similar to other methods such as ``get()`` and ``post()``, if the -requested data is not found, it will return NULL and you can also -decide whether to run the data through ``xss_clean()`` by passing -a boolean value as the second parameter:: - - $this->input->input_stream('key', TRUE); // XSS Clean - $this->input->input_stream('key', FALSE); // No XSS filter - -.. note:: You can utilize ``method()`` in order to know if you're reading - PUT, DELETE or PATCH data. - -*************** -Class Reference -*************** - -.. php:class:: CI_Input - - .. attribute:: $raw_input_stream - - Read only property that will return php://input data as is. - - The property can be read multiple times. - - .. php:method:: post([$index = NULL[, $xss_clean = NULL]]) - - :param mixed $index: POST parameter name - :param bool $xss_clean: Whether to apply XSS filtering - :returns: $_POST if no parameters supplied, otherwise the POST value if found or NULL if not - :rtype: mixed - - The first parameter will contain the name of the POST item you are - looking for:: - - $this->input->post('some_data'); - - The method returns NULL if the item you are attempting to retrieve - does not exist. - - The second optional parameter lets you run the data through the XSS - filter. It's enabled by setting the second parameter to boolean TRUE - or by setting your ``$config['global_xss_filtering']`` to TRUE. - :: - - $this->input->post('some_data', TRUE); - - To return an array of all POST items call without any parameters. - - To return all POST items and pass them through the XSS filter set the - first parameter NULL while setting the second parameter to boolean TRUE. - :: - - $this->input->post(NULL, TRUE); // returns all POST items with XSS filter - $this->input->post(NULL, FALSE); // returns all POST items without XSS filter - - To return an array of multiple POST parameters, pass all the required keys - as an array. - :: - - $this->input->post(array('field1', 'field2')); - - Same rule applied here, to retrieve the parameters with XSS filtering enabled, set the - second parameter to boolean TRUE. - :: - - $this->input->post(array('field1', 'field2'), TRUE); - - .. php:method:: get([$index = NULL[, $xss_clean = NULL]]) - - :param mixed $index: GET parameter name - :param bool $xss_clean: Whether to apply XSS filtering - :returns: $_GET if no parameters supplied, otherwise the GET value if found or NULL if not - :rtype: mixed - - This method is identical to ``post()``, only it fetches GET data. - :: - - $this->input->get('some_data', TRUE); - - To return an array of all GET items call without any parameters. - - To return all GET items and pass them through the XSS filter set the - first parameter NULL while setting the second parameter to boolean TRUE. - :: - - $this->input->get(NULL, TRUE); // returns all GET items with XSS filter - $this->input->get(NULL, FALSE); // returns all GET items without XSS filtering - - To return an array of multiple GET parameters, pass all the required keys - as an array. - :: - - $this->input->get(array('field1', 'field2')); - - Same rule applied here, to retrieve the parameters with XSS filtering enabled, set the - second parameter to boolean TRUE. - :: - - $this->input->get(array('field1', 'field2'), TRUE); - - .. php:method:: post_get($index[, $xss_clean = NULL]) - - :param string $index: POST/GET parameter name - :param bool $xss_clean: Whether to apply XSS filtering - :returns: POST/GET value if found, NULL if not - :rtype: mixed - - This method works pretty much the same way as ``post()`` and ``get()``, - only combined. It will search through both POST and GET streams for data, - looking in POST first, and then in GET:: - - $this->input->post_get('some_data', TRUE); - - .. php:method:: get_post($index[, $xss_clean = NULL]) - - :param string $index: GET/POST parameter name - :param bool $xss_clean: Whether to apply XSS filtering - :returns: GET/POST value if found, NULL if not - :rtype: mixed - - This method works the same way as ``post_get()`` only it looks for GET - data first. - - $this->input->get_post('some_data', TRUE); - - .. note:: This method used to act EXACTLY like ``post_get()``, but it's - behavior has changed in CodeIgniter 3.0. - - .. php:method:: cookie([$index = NULL[, $xss_clean = NULL]]) - - :param mixed $index: COOKIE name - :param bool $xss_clean: Whether to apply XSS filtering - :returns: $_COOKIE if no parameters supplied, otherwise the COOKIE value if found or NULL if not - :rtype: mixed - - This method is identical to ``post()`` and ``get()``, only it fetches cookie - data:: - - $this->input->cookie('some_cookie'); - $this->input->cookie('some_cookie', TRUE); // with XSS filter - - To return an array of multiple cookie values, pass all the required keys - as an array. - :: - - $this->input->cookie(array('some_cookie', 'some_cookie2')); - - .. note:: Unlike the :doc:`Cookie Helper <../helpers/cookie_helper>` - function :php:func:`get_cookie()`, this method does NOT prepend - your configured ``$config['cookie_prefix']`` value. - - .. php:method:: server($index[, $xss_clean = NULL]) - - :param mixed $index: Value name - :param bool $xss_clean: Whether to apply XSS filtering - :returns: $_SERVER item value if found, NULL if not - :rtype: mixed - - This method is identical to the ``post()``, ``get()`` and ``cookie()`` - methods, only it fetches server data (``$_SERVER``):: - - $this->input->server('some_data'); - - To return an array of multiple ``$_SERVER`` values, pass all the required keys - as an array. - :: - - $this->input->server(array('SERVER_PROTOCOL', 'REQUEST_URI')); - - .. php:method:: input_stream([$index = NULL[, $xss_clean = NULL]]) - - :param mixed $index: Key name - :param bool $xss_clean: Whether to apply XSS filtering - :returns: Input stream array if no parameters supplied, otherwise the specified value if found or NULL if not - :rtype: mixed - - This method is identical to ``get()``, ``post()`` and ``cookie()``, - only it fetches the *php://input* stream data. - - .. php:method:: set_cookie($name = ''[, $value = ''[, $expire = ''[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = NULL[, $httponly = NULL]]]]]]]) - - :param mixed $name: Cookie name or an array of parameters - :param string $value: Cookie value - :param int $expire: Cookie expiration time in seconds - :param string $domain: Cookie domain - :param string $path: Cookie path - :param string $prefix: Cookie name prefix - :param bool $secure: Whether to only transfer the cookie through HTTPS - :param bool $httponly: Whether to only make the cookie accessible for HTTP requests (no JavaScript) - :rtype: void - - - Sets a cookie containing the values you specify. There are two ways to - pass information to this method so that a cookie can be set: Array - Method, and Discrete Parameters: - - **Array Method** - - Using this method, an associative array is passed to the first - parameter:: - - $cookie = array( - 'name' => 'The Cookie Name', - 'value' => 'The Value', - 'expire' => '86500', - 'domain' => '.some-domain.com', - 'path' => '/', - 'prefix' => 'myprefix_', - 'secure' => TRUE - ); - - $this->input->set_cookie($cookie); - - **Notes** - - Only the name and value are required. To delete a cookie set it with the - expiration blank. - - The expiration is set in **seconds**, which will be added to the current - time. Do not include the time, but rather only the number of seconds - from *now* that you wish the cookie to be valid. If the expiration is - set to zero the cookie will only last as long as the browser is open. - - For site-wide cookies regardless of how your site is requested, add your - URL to the **domain** starting with a period, like this: - .your-domain.com - - The path is usually not needed since the method sets a root path. - - The prefix is only needed if you need to avoid name collisions with - other identically named cookies for your server. - - The *httponly* and *secure* flags, when omitted, will default to your - ``$config['cookie_httponly']`` and ``$config['cookie_secure']`` settings. - - **Discrete Parameters** - - If you prefer, you can set the cookie by passing data using individual - parameters:: - - $this->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure); - - .. php:method:: ip_address() - - :returns: Visitor's IP address or '0.0.0.0' if not valid - :rtype: string - - Returns the IP address for the current user. If the IP address is not - valid, the method will return '0.0.0.0':: - - echo $this->input->ip_address(); - - .. important:: This method takes into account the ``$config['proxy_ips']`` - setting and will return the reported HTTP_X_FORWARDED_FOR, - HTTP_CLIENT_IP, HTTP_X_CLIENT_IP or HTTP_X_CLUSTER_CLIENT_IP - address for the allowed IP addresses. - - .. php:method:: valid_ip($ip[, $which = '']) - - :param string $ip: IP address - :param string $which: IP protocol ('ipv4' or 'ipv6') - :returns: TRUE if the address is valid, FALSE if not - :rtype: bool - - Takes an IP address as input and returns TRUE or FALSE (boolean) depending - on whether it is valid or not. - - .. note:: The $this->input->ip_address() method above automatically - validates the IP address. - - :: - - if ( ! $this->input->valid_ip($ip)) - { - echo 'Not Valid'; - } - else - { - echo 'Valid'; - } - - Accepts an optional second string parameter of 'ipv4' or 'ipv6' to specify - an IP format. The default checks for both formats. - - .. php:method:: user_agent([$xss_clean = NULL]) - - :returns: User agent string or NULL if not set - :param bool $xss_clean: Whether to apply XSS filtering - :rtype: mixed - - Returns the user agent string (web browser) being used by the current user, - or NULL if it's not available. - :: - - echo $this->input->user_agent(); - - See the :doc:`User Agent Class <user_agent>` for methods which extract - information from the user agent string. - - .. php:method:: request_headers([$xss_clean = FALSE]) - - :param bool $xss_clean: Whether to apply XSS filtering - :returns: An array of HTTP request headers - :rtype: array - - Returns an array of HTTP request headers. - Useful if running in a non-Apache environment where - `apache_request_headers() <http://php.net/apache_request_headers>`_ - will not be supported. - :: - - $headers = $this->input->request_headers(); - - .. php:method:: get_request_header($index[, $xss_clean = FALSE]) - - :param string $index: HTTP request header name - :param bool $xss_clean: Whether to apply XSS filtering - :returns: An HTTP request header or NULL if not found - :rtype: string - - Returns a single member of the request headers array or NULL - if the searched header is not found. - :: - - $this->input->get_request_header('some-header', TRUE); - - .. php:method:: is_ajax_request() - - :returns: TRUE if it is an Ajax request, FALSE if not - :rtype: bool - - Checks to see if the HTTP_X_REQUESTED_WITH server header has been - set, and returns boolean TRUE if it is or FALSE if not. - - .. php:method:: is_cli_request() - - :returns: TRUE if it is a CLI request, FALSE if not - :rtype: bool - - Checks to see if the application was run from the command-line - interface. - - .. note:: This method checks both the PHP SAPI name currently in use - and if the ``STDIN`` constant is defined, which is usually a - failsafe way to see if PHP is being run via the command line. - - :: - - $this->input->is_cli_request() - - .. note:: This method is DEPRECATED and is now just an alias for the - :func:`is_cli()` function. - - .. php:method:: method([$upper = FALSE]) - - :param bool $upper: Whether to return the request method name in upper or lower case - :returns: HTTP request method - :rtype: string - - Returns the ``$_SERVER['REQUEST_METHOD']``, with the option to set it - in uppercase or lowercase. - :: - - echo $this->input->method(TRUE); // Outputs: POST - echo $this->input->method(FALSE); // Outputs: post - echo $this->input->method(); // Outputs: post |