summaryrefslogtreecommitdiffstats
path: root/system/core/Input.php
diff options
context:
space:
mode:
Diffstat (limited to 'system/core/Input.php')
-rw-r--r--[-rwxr-xr-x]system/core/Input.php482
1 files changed, 248 insertions, 234 deletions
diff --git a/system/core/Input.php b/system/core/Input.php
index 0dc2c4550..162e40c85 100755..100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -1,20 +1,30 @@
-<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
+<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/**
* CodeIgniter
*
- * An open source application development framework for PHP 5.1.6 or newer
+ * An open source application development framework for PHP 5.2.4 or newer
+ *
+ * NOTICE OF LICENSE
+ *
+ * Licensed under the Open Software License version 3.0
+ *
+ * This source file is subject to the Open Software License (OSL 3.0) that is
+ * bundled with this package in the files license.txt / license.rst. It is
+ * also available through the world wide web at this URL:
+ * http://opensource.org/licenses/OSL-3.0
+ * If you did not receive a copy of the license and are unable to obtain it
+ * through the world wide web, please send an email to
+ * licensing@ellislab.com so we can send you a copy immediately.
*
* @package CodeIgniter
- * @author ExpressionEngine Dev Team
- * @copyright Copyright (c) 2008 - 2011, EllisLab, Inc.
- * @license http://codeigniter.com/user_guide/license.html
+ * @author EllisLab Dev Team
+ * @copyright Copyright (c) 2008 - 2012, EllisLab, Inc. (http://ellislab.com/)
+ * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
* @link http://codeigniter.com
* @since Version 1.0
* @filesource
*/
-// ------------------------------------------------------------------------
-
/**
* Input Class
*
@@ -23,7 +33,7 @@
* @package CodeIgniter
* @subpackage Libraries
* @category Input
- * @author ExpressionEngine Dev Team
+ * @author EllisLab Dev Team
* @link http://codeigniter.com/user_guide/libraries/input.html
*/
class CI_Input {
@@ -33,46 +43,51 @@ class CI_Input {
*
* @var string
*/
- var $ip_address = FALSE;
+ public $ip_address = FALSE;
+
/**
* user agent (web browser) being used by the current user
*
* @var string
*/
- var $user_agent = FALSE;
+ public $user_agent = FALSE;
+
/**
* If FALSE, then $_GET will be set to an empty array
*
* @var bool
*/
- var $_allow_get_array = TRUE;
+ protected $_allow_get_array = TRUE;
+
/**
* If TRUE, then newlines are standardized
*
* @var bool
*/
- var $_standardize_newlines = TRUE;
+ protected $_standardize_newlines = TRUE;
+
/**
* Determines whether the XSS filter is always active when GET, POST or COOKIE data is encountered
* Set automatically based on config setting
*
* @var bool
*/
- var $_enable_xss = FALSE;
+ protected $_enable_xss = FALSE;
+
/**
* Enables a CSRF cookie token to be set.
* Set automatically based on config setting
*
* @var bool
*/
- var $_enable_csrf = FALSE;
+ protected $_enable_csrf = FALSE;
+
/**
* List of all HTTP request headers
*
* @var array
*/
- protected $headers = array();
-
+ protected $headers = array();
/**
* Constructor
@@ -80,14 +95,15 @@ class CI_Input {
* Sets whether to globally enable the XSS processing
* and whether to allow the $_GET array
*
+ * @return void
*/
public function __construct()
{
- log_message('debug', "Input Class Initialized");
+ log_message('debug', 'Input Class Initialized');
$this->_allow_get_array = (config_item('allow_get_array') === TRUE);
- $this->_enable_xss = (config_item('global_xss_filtering') === TRUE);
- $this->_enable_csrf = (config_item('csrf_protection') === TRUE);
+ $this->_enable_xss = (config_item('global_xss_filtering') === TRUE);
+ $this->_enable_csrf = (config_item('csrf_protection') === TRUE);
global $SEC;
$this->security =& $SEC;
@@ -110,17 +126,16 @@ class CI_Input {
*
* This is a helper function to retrieve values from global arrays
*
- * @access private
* @param array
* @param string
* @param bool
* @return string
*/
- function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE)
+ protected function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE)
{
if ( ! isset($array[$index]))
{
- return FALSE;
+ return NULL;
}
if ($xss_clean === TRUE)
@@ -134,17 +149,16 @@ class CI_Input {
// --------------------------------------------------------------------
/**
- * Fetch an item from the GET array
- *
- * @access public
- * @param string
- * @param bool
- * @return string
- */
- function get($index = NULL, $xss_clean = FALSE)
+ * Fetch an item from the GET array
+ *
+ * @param string
+ * @param bool
+ * @return string
+ */
+ public function get($index = NULL, $xss_clean = FALSE)
{
// Check if a field has been provided
- if ($index === NULL AND ! empty($_GET))
+ if ($index === NULL && ! empty($_GET))
{
$get = array();
@@ -162,17 +176,16 @@ class CI_Input {
// --------------------------------------------------------------------
/**
- * Fetch an item from the POST array
- *
- * @access public
- * @param string
- * @param bool
- * @return string
- */
- function post($index = NULL, $xss_clean = FALSE)
+ * Fetch an item from the POST array
+ *
+ * @param string
+ * @param bool
+ * @return string
+ */
+ public function post($index = NULL, $xss_clean = FALSE)
{
// Check if a field has been provided
- if ($index === NULL AND ! empty($_POST))
+ if ($index === NULL && ! empty($_POST))
{
$post = array();
@@ -191,36 +204,29 @@ class CI_Input {
// --------------------------------------------------------------------
/**
- * Fetch an item from either the GET array or the POST
- *
- * @access public
- * @param string The index key
- * @param bool XSS cleaning
- * @return string
- */
- function get_post($index = '', $xss_clean = FALSE)
+ * Fetch an item from either the GET array or the POST
+ *
+ * @param string The index key
+ * @param bool XSS cleaning
+ * @return string
+ */
+ public function get_post($index = '', $xss_clean = FALSE)
{
- if ( ! isset($_POST[$index]) )
- {
- return $this->get($index, $xss_clean);
- }
- else
- {
- return $this->post($index, $xss_clean);
- }
+ return isset($_POST[$index])
+ ? $this->post($index, $xss_clean)
+ : $this->get($index, $xss_clean);
}
// --------------------------------------------------------------------
/**
- * Fetch an item from the COOKIE array
- *
- * @access public
- * @param string
- * @param bool
- * @return string
- */
- function cookie($index = '', $xss_clean = FALSE)
+ * Fetch an item from the COOKIE array
+ *
+ * @param string
+ * @param bool
+ * @return string
+ */
+ public function cookie($index = '', $xss_clean = FALSE)
{
return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
}
@@ -228,27 +234,27 @@ class CI_Input {
// ------------------------------------------------------------------------
/**
- * Set cookie
- *
- * Accepts six parameter, or you can submit an associative
- * array in the first parameter containing all the values.
- *
- * @access public
- * @param mixed
- * @param string the value of the cookie
- * @param string the number of seconds until expiration
- * @param string the cookie domain. Usually: .yourdomain.com
- * @param string the cookie path
- * @param string the cookie prefix
- * @param bool true makes the cookie secure
- * @return void
- */
- function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE)
+ * Set cookie
+ *
+ * Accepts seven parameters, or you can submit an associative
+ * array in the first parameter containing all the values.
+ *
+ * @param mixed
+ * @param string the value of the cookie
+ * @param string the number of seconds until expiration
+ * @param string the cookie domain. Usually: .yourdomain.com
+ * @param string the cookie path
+ * @param string the cookie prefix
+ * @param bool true makes the cookie secure
+ * @param bool true makes the cookie accessible via http(s) only (no javascript)
+ * @return void
+ */
+ public function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE)
{
if (is_array($name))
{
// always leave 'name' in last place, as the loop will break otherwise, due to $$item
- foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'name') as $item)
+ foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item)
{
if (isset($name[$item]))
{
@@ -257,23 +263,31 @@ class CI_Input {
}
}
- if ($prefix == '' AND config_item('cookie_prefix') != '')
+ if ($prefix === '' && config_item('cookie_prefix') !== '')
{
$prefix = config_item('cookie_prefix');
}
- if ($domain == '' AND config_item('cookie_domain') != '')
+
+ if ($domain == '' && config_item('cookie_domain') != '')
{
$domain = config_item('cookie_domain');
}
- if ($path == '/' AND config_item('cookie_path') != '/')
+
+ if ($path === '/' && config_item('cookie_path') !== '/')
{
$path = config_item('cookie_path');
}
- if ($secure == FALSE AND config_item('cookie_secure') != FALSE)
+
+ if ($secure === FALSE && config_item('cookie_secure') !== FALSE)
{
$secure = config_item('cookie_secure');
}
+ if ($httponly === FALSE && config_item('cookie_httponly') !== FALSE)
+ {
+ $httponly = config_item('cookie_httponly');
+ }
+
if ( ! is_numeric($expire))
{
$expire = time() - 86500;
@@ -283,20 +297,19 @@ class CI_Input {
$expire = ($expire > 0) ? time() + $expire : 0;
}
- setcookie($prefix.$name, $value, $expire, $path, $domain, $secure);
+ setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly);
}
// --------------------------------------------------------------------
/**
- * Fetch an item from the SERVER array
- *
- * @access public
- * @param string
- * @param bool
- * @return string
- */
- function server($index = '', $xss_clean = FALSE)
+ * Fetch an item from the SERVER array
+ *
+ * @param string
+ * @param bool
+ * @return string
+ */
+ public function server($index = '', $xss_clean = FALSE)
{
return $this->_fetch_from_array($_SERVER, $index, $xss_clean);
}
@@ -304,12 +317,11 @@ class CI_Input {
// --------------------------------------------------------------------
/**
- * Fetch the IP Address
- *
- * @access public
- * @return string
- */
- function ip_address()
+ * Fetch the IP Address
+ *
+ * @return string
+ */
+ public function ip_address()
{
if ($this->ip_address !== FALSE)
{
@@ -323,11 +335,11 @@ class CI_Input {
$this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
}
- elseif (! $this->server('HTTP_CLIENT_IP') AND $this->server('REMOTE_ADDR'))
+ elseif ( ! $this->server('HTTP_CLIENT_IP') && $this->server('REMOTE_ADDR'))
{
$this->ip_address = $_SERVER['REMOTE_ADDR'];
}
- elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
+ elseif ($this->server('REMOTE_ADDR') && $this->server('HTTP_CLIENT_IP'))
{
$this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
}
@@ -342,8 +354,7 @@ class CI_Input {
if ($this->ip_address === FALSE)
{
- $this->ip_address = '0.0.0.0';
- return $this->ip_address;
+ return $this->ip_address = '0.0.0.0';
}
if (strpos($this->ip_address, ',') !== FALSE)
@@ -354,7 +365,7 @@ class CI_Input {
if ( ! $this->valid_ip($this->ip_address))
{
- $this->ip_address = '0.0.0.0';
+ return $this->ip_address = '0.0.0.0';
}
return $this->ip_address;
@@ -363,99 +374,89 @@ class CI_Input {
// --------------------------------------------------------------------
/**
- * Validate IP Address
- *
- * Updated version suggested by Geert De Deckere
- *
- * @access public
- * @param string
- * @return string
- */
- function valid_ip($ip)
+ * Validate IP Address
+ *
+ * @param string
+ * @param string 'ipv4' or 'ipv6'
+ * @return bool
+ */
+ public function valid_ip($ip, $which = '')
{
- $ip_segments = explode('.', $ip);
-
- // Always 4 segments needed
- if (count($ip_segments) != 4)
- {
- return FALSE;
- }
- // IP can not start with 0
- if ($ip_segments[0][0] == '0')
+ switch (strtolower($which))
{
- return FALSE;
- }
- // Check each segment
- foreach ($ip_segments as $segment)
- {
- // IP segments must be digits and can not be
- // longer than 3 digits or greater then 255
- if ($segment == '' OR preg_match("/[^0-9]/", $segment) OR $segment > 255 OR strlen($segment) > 3)
- {
- return FALSE;
- }
+ case 'ipv4':
+ $which = FILTER_FLAG_IPV4;
+ break;
+ case 'ipv6':
+ $which = FILTER_FLAG_IPV6;
+ break;
+ default:
+ $which = NULL;
+ break;
}
- return TRUE;
+ return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which);
}
// --------------------------------------------------------------------
/**
- * User Agent
- *
- * @access public
- * @return string
- */
- function user_agent()
+ * User Agent
+ *
+ * @return string
+ */
+ public function user_agent()
{
if ($this->user_agent !== FALSE)
{
return $this->user_agent;
}
- $this->user_agent = ( ! isset($_SERVER['HTTP_USER_AGENT'])) ? FALSE : $_SERVER['HTTP_USER_AGENT'];
-
- return $this->user_agent;
+ return $this->user_agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : FALSE;
}
// --------------------------------------------------------------------
/**
- * Sanitize Globals
- *
- * This function does the following:
- *
- * Unsets $_GET data (if query strings are not enabled)
- *
- * Unsets all globals if register_globals is enabled
- *
- * Standardizes newline characters to \n
- *
- * @access private
- * @return void
- */
- function _sanitize_globals()
+ * Sanitize Globals
+ *
+ * This function does the following:
+ *
+ * - Unsets $_GET data (if query strings are not enabled)
+ * - Unsets all globals if register_globals is enabled
+ * - Standardizes newline characters to \n
+ *
+ * @return void
+ */
+ protected function _sanitize_globals()
{
// It would be "wrong" to unset any of these GLOBALS.
- $protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST',
- '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA',
- 'system_folder', 'application_folder', 'BM', 'EXT',
- 'CFG', 'URI', 'RTR', 'OUT', 'IN');
+ $protected = array(
+ '_SERVER',
+ '_GET',
+ '_POST',
+ '_FILES',
+ '_REQUEST',
+ '_SESSION',
+ '_ENV',
+ 'GLOBALS',
+ 'HTTP_RAW_POST_DATA',
+ 'system_folder',
+ 'application_folder',
+ 'BM',
+ 'EXT',
+ 'CFG',
+ 'URI',
+ 'RTR',
+ 'OUT',
+ 'IN'
+ );
// Unset globals for securiy.
// This is effectively the same as register_globals = off
foreach (array($_GET, $_POST, $_COOKIE) as $global)
{
- if ( ! is_array($global))
- {
- if ( ! in_array($global, $protected))
- {
- global $$global;
- $$global = NULL;
- }
- }
- else
+ if (is_array($global))
{
foreach ($global as $key => $val)
{
@@ -466,26 +467,28 @@ class CI_Input {
}
}
}
+ elseif ( ! in_array($global, $protected))
+ {
+ global $$global;
+ $$global = NULL;
+ }
}
// Is $_GET data allowed? If not we'll set the $_GET to an empty array
- if ($this->_allow_get_array == FALSE)
+ if ($this->_allow_get_array === FALSE)
{
$_GET = array();
}
- else
+ elseif (is_array($_GET) && count($_GET) > 0)
{
- if (is_array($_GET) AND count($_GET) > 0)
+ foreach ($_GET as $key => $val)
{
- foreach ($_GET as $key => $val)
- {
- $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
- }
+ $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
}
}
// Clean $_POST Data
- if (is_array($_POST) AND count($_POST) > 0)
+ if (is_array($_POST) && count($_POST) > 0)
{
foreach ($_POST as $key => $val)
{
@@ -494,7 +497,7 @@ class CI_Input {
}
// Clean $_COOKIE Data
- if (is_array($_COOKIE) AND count($_COOKIE) > 0)
+ if (is_array($_COOKIE) && count($_COOKIE) > 0)
{
// Also get rid of specially treated cookies that might be set by a server
// or silly application, that are of no use to a CI application anyway
@@ -514,29 +517,27 @@ class CI_Input {
// Sanitize PHP_SELF
$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
-
// CSRF Protection check
- if ($this->_enable_csrf == TRUE)
+ if ($this->_enable_csrf === TRUE)
{
$this->security->csrf_verify();
}
- log_message('debug', "Global POST and COOKIE data sanitized");
+ log_message('debug', 'Global POST and COOKIE data sanitized');
}
// --------------------------------------------------------------------
/**
- * Clean Input Data
- *
- * This is a helper function. It escapes data and
- * standardizes newline characters to \n
- *
- * @access private
- * @param string
- * @return string
- */
- function _clean_input_data($str)
+ * Clean Input Data
+ *
+ * This is a helper function. It escapes data and
+ * standardizes newline characters to \n
+ *
+ * @param string
+ * @return string
+ */
+ protected function _clean_input_data($str)
{
if (is_array($str))
{
@@ -548,8 +549,12 @@ class CI_Input {
return $new_array;
}
- // We strip slashes if magic quotes is on to keep things consistent
- if (function_exists('get_magic_quotes_gpc') AND get_magic_quotes_gpc())
+ /* We strip slashes if magic quotes is on to keep things consistent
+
+ NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and
+ it will probably not exist in future versions at all.
+ */
+ if ( ! is_php('5.4') && get_magic_quotes_gpc())
{
$str = stripslashes($str);
}
@@ -570,12 +575,9 @@ class CI_Input {
}
// Standardize newlines if needed
- if ($this->_standardize_newlines == TRUE)
+ if ($this->_standardize_newlines === TRUE && strpos($str, "\r") !== FALSE)
{
- if (strpos($str, "\r") !== FALSE)
- {
- $str = str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str);
- }
+ return str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str);
}
return $str;
@@ -584,27 +586,27 @@ class CI_Input {
// --------------------------------------------------------------------
/**
- * Clean Keys
- *
- * This is a helper function. To prevent malicious users
- * from trying to exploit keys we make sure that keys are
- * only named with alpha-numeric text and a few other items.
- *
- * @access private
- * @param string
- * @return string
- */
- function _clean_input_keys($str)
+ * Clean Keys
+ *
+ * This is a helper function. To prevent malicious users
+ * from trying to exploit keys we make sure that keys are
+ * only named with alpha-numeric text and a few other items.
+ *
+ * @param string
+ * @return string
+ */
+ protected function _clean_input_keys($str)
{
- if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
+ if ( ! preg_match('/^[a-z0-9:_\/-]+$/i', $str))
{
+ set_status_header(503);
exit('Disallowed Key Characters.');
}
// Clean UTF-8 if supported
if (UTF8_ENABLED === TRUE)
{
- $str = $this->uni->clean_string($str);
+ return $this->uni->clean_string($str);
}
return $str;
@@ -618,9 +620,8 @@ class CI_Input {
* In Apache, you can simply call apache_request_headers(), however for
* people running other webservers the function is undefined.
*
- * @param bool XSS cleaning
- *
- * @return array
+ * @param bool XSS cleaning
+ * @return array
*/
public function request_headers($xss_clean = FALSE)
{
@@ -631,11 +632,11 @@ class CI_Input {
}
else
{
- $headers['Content-Type'] = (isset($_SERVER['CONTENT_TYPE'])) ? $_SERVER['CONTENT_TYPE'] : @getenv('CONTENT_TYPE');
+ $headers['Content-Type'] = isset($_SERVER['CONTENT_TYPE']) ? $_SERVER['CONTENT_TYPE'] : @getenv('CONTENT_TYPE');
foreach ($_SERVER as $key => $val)
{
- if (strncmp($key, 'HTTP_', 5) === 0)
+ if (strpos($key, 'HTTP_') === 0)
{
$headers[substr($key, 5)] = $this->_fetch_from_array($_SERVER, $key, $xss_clean);
}
@@ -661,9 +662,9 @@ class CI_Input {
*
* Returns the value of a single member of the headers class member
*
- * @param string array key for $this->headers
- * @param boolean XSS Clean or not
- * @return mixed FALSE on failure, string on success
+ * @param string array key for $this->headers
+ * @param bool XSS Clean or not
+ * @return mixed FALSE on failure, string on success
*/
public function get_request_header($index, $xss_clean = FALSE)
{
@@ -674,15 +675,12 @@ class CI_Input {
if ( ! isset($this->headers[$index]))
{
- return FALSE;
+ return NULL;
}
- if ($xss_clean === TRUE)
- {
- return $this->security->xss_clean($this->headers[$index]);
- }
-
- return $this->headers[$index];
+ return ($xss_clean === TRUE)
+ ? $this->security->xss_clean($this->headers[$index])
+ : $this->headers[$index];
}
// --------------------------------------------------------------------
@@ -692,11 +690,11 @@ class CI_Input {
*
* Test to see if a request contains the HTTP_X_REQUESTED_WITH header
*
- * @return boolean
+ * @return bool
*/
public function is_ajax_request()
{
- return ($this->server('HTTP_X_REQUESTED_WITH') === 'XMLHttpRequest');
+ return ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest');
}
// --------------------------------------------------------------------
@@ -706,15 +704,31 @@ class CI_Input {
*
* Test to see if a request was made from the command line
*
- * @return boolean
+ * @return bool
*/
public function is_cli_request()
{
- return (php_sapi_name() == 'cli') or defined('STDIN');
+ return (php_sapi_name() === 'cli' OR defined('STDIN'));
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Get Request Method
+ *
+ * Return the Request Method
+ *
+ * @param bool uppercase or lowercase
+ * @return bool
+ */
+ public function method($upper = FALSE)
+ {
+ return ($upper)
+ ? strtoupper($this->server('REQUEST_METHOD'))
+ : strtolower($this->server('REQUEST_METHOD'));
}
}
-// END Input class
/* End of file Input.php */
-/* Location: ./system/core/Input.php */
+/* Location: ./system/core/Input.php */ \ No newline at end of file