summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--system/core/Common.php37
-rw-r--r--system/database/drivers/mssql/mssql_driver.php5
-rw-r--r--system/database/drivers/oci8/oci8_driver.php5
-rw-r--r--system/database/drivers/odbc/odbc_driver.php5
-rw-r--r--system/libraries/Security.php42
-rw-r--r--user_guide/changelog.html3
-rw-r--r--user_guide/general/common_functions.html6
7 files changed, 50 insertions, 53 deletions
diff --git a/system/core/Common.php b/system/core/Common.php
index 6e2f72509..9dee591e6 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -479,6 +479,43 @@
$_error->log_exception($severity, $message, $filepath, $line);
}
+ // --------------------------------------------------------------------
+
+ /**
+ * Remove Invisible Characters
+ *
+ * This prevents sandwiching null characters
+ * between ascii characters, like Java\0script.
+ *
+ * @access public
+ * @param string
+ * @return string
+ */
+ function remove_invisible_characters($str)
+ {
+ static $non_displayables;
+
+ if ( ! isset($non_displayables))
+ {
+ // every control character except newline (dec 10), carriage return (dec 13), and horizontal tab (dec 09),
+ $non_displayables = array(
+ '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
+ '/%1[0-9a-f]/', // url encoded 16-31
+ '/[\x00-\x08]/', // 00-08
+ '/\x0b/', '/\x0c/', // 11, 12
+ '/[\x0e-\x1f]/' // 14-31
+ );
+ }
+
+ do
+ {
+ $cleaned = $str;
+ $str = preg_replace($non_displayables, '', $str);
+ }
+ while ($cleaned != $str);
+
+ return $str;
+ }
/* End of file Common.php */
diff --git a/system/database/drivers/mssql/mssql_driver.php b/system/database/drivers/mssql/mssql_driver.php
index 0c74726a2..40900e832 100644
--- a/system/database/drivers/mssql/mssql_driver.php
+++ b/system/database/drivers/mssql/mssql_driver.php
@@ -260,12 +260,9 @@ class CI_DB_mssql_driver extends CI_DB {
return $str;
}
-
- // Access the CI object
- $CI =& get_instance();
// Escape single quotes
- $str = str_replace("'", "''", $CI->input->_remove_invisible_characters($str));
+ $str = str_replace("'", "''", remove_invisible_characters($str));
// escape LIKE condition wildcards
if ($like === TRUE)
diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php
index cd0e09577..6f317d2e6 100644
--- a/system/database/drivers/oci8/oci8_driver.php
+++ b/system/database/drivers/oci8/oci8_driver.php
@@ -403,10 +403,7 @@ class CI_DB_oci8_driver extends CI_DB {
return $str;
}
- // Access the CI object
- $CI =& get_instance();
-
- $str = $CI->input->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
// escape LIKE condition wildcards
if ($like === TRUE)
diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php
index d5df8ef8c..6e682313f 100644
--- a/system/database/drivers/odbc/odbc_driver.php
+++ b/system/database/drivers/odbc/odbc_driver.php
@@ -271,12 +271,9 @@ class CI_DB_odbc_driver extends CI_DB {
return $str;
}
-
- // Access the CI object
- $CI =& get_instance();
// ODBC doesn't require escaping
- $str = $CI->input->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
// escape LIKE condition wildcards
if ($like === TRUE)
diff --git a/system/libraries/Security.php b/system/libraries/Security.php
index 60adf0a27..cdae50168 100644
--- a/system/libraries/Security.php
+++ b/system/libraries/Security.php
@@ -198,7 +198,7 @@ class CI_Security {
/*
* Remove Invisible Characters
*/
- $str = $this->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
/*
* Protect GET variables in URLs
@@ -258,7 +258,7 @@ class CI_Security {
/*
* Remove Invisible Characters Again!
*/
- $str = $this->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
/*
* Convert all tabs to spaces
@@ -481,44 +481,6 @@ class CI_Security {
// --------------------------------------------------------------------
/**
- * Remove Invisible Characters
- *
- * This prevents sandwiching null characters
- * between ascii characters, like Java\0script.
- *
- * @access public
- * @param string
- * @return string
- */
- function _remove_invisible_characters($str)
- {
- static $non_displayables;
-
- if ( ! isset($non_displayables))
- {
- // every control character except newline (dec 10), carriage return (dec 13), and horizontal tab (dec 09),
- $non_displayables = array(
- '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
- '/%1[0-9a-f]/', // url encoded 16-31
- '/[\x00-\x08]/', // 00-08
- '/\x0b/', '/\x0c/', // 11, 12
- '/[\x0e-\x1f]/' // 14-31
- );
- }
-
- do
- {
- $cleaned = $str;
- $str = preg_replace($non_displayables, '', $str);
- }
- while ($cleaned != $str);
-
- return $str;
- }
-
- // --------------------------------------------------------------------
-
- /**
* Compact Exploded Words
*
* Callback function for xss_clean() to remove whitespace from
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 02cf6d06f..5e0f5ae05 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -133,7 +133,8 @@ Hg Tag: </p>
<li>Eliminated a call to is_really_writable() on each request unless it is really needed (Output caching)</li>
<li>Documented <kbd>append_output()</kbd> in the <a href="libraries/output.html">Output Class</a>.</li>
<li>Documented a second argument in the <kbd>decode()</kbd> function for the <a href="libraries/encryption.html">Encryption Class</a>.</li>
- <li>Documentd db->close().</li>
+ <li>Documented db->close().</li>
+ <li>Moved _remove_invisible_characters() function from the <a href="libraries/security.html">Security Library</a> to <a href="general/common_functions.html">common functions.</a></li>
</ul>
</li>
</ul>
diff --git a/user_guide/general/common_functions.html b/user_guide/general/common_functions.html
index 196e3777e..0e68d1113 100644
--- a/user_guide/general/common_functions.html
+++ b/user_guide/general/common_functions.html
@@ -99,6 +99,12 @@ else<br />
<p><a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html">See here</a> for a full list of headers.</p>
+
+<h2>remove_invisible_characters(<var>$str</var>)</h2>
+<p>This function prevents inserting null characters between ascii characters, like Java\0script.</p>
+
+
+
</div>