+ +
+

Input Class

+

The Input Class serves two purposes:

+
    +
  1. It pre-processes global input data for security.
  2. +
  3. It provides some helper methods for fetching input data and pre-processing it.
  4. +
+
+

Note

+

This class is initialized automatically by the system so there +is no need to do it manually.

+
+ +
+

Input Filtering

+
+

Security Filtering

+

The security filtering method is called automatically when a new +controller is invoked. It does the +following:

+
    +
  • If $config['allow_get_array'] is FALSE (default is TRUE), destroys +the global GET array.
  • +
  • Destroys all global variables in the event register_globals is +turned on.
  • +
  • Filters the GET/POST/COOKIE array keys, permitting only alpha-numeric +(and a few other) characters.
  • +
  • Provides XSS (Cross-site Scripting Hacks) filtering. This can be +enabled globally, or upon request.
  • +
  • Standardizes newline characters to PHP_EOL (\n in UNIX-based OSes, +\r\n under Windows). This is configurable.
  • +
+
+
+

XSS Filtering

+

The Input class has the ability to filter input automatically to prevent +cross-site scripting attacks. If you want the filter to run +automatically every time it encounters POST or COOKIE data you can +enable it by opening your application/config/config.php file and setting +this:

+
$config['global_xss_filtering'] = TRUE;
+
+
+

Please refer to the Security class documentation for +information on using XSS Filtering in your application.

+
+

Important

+

The ‘global_xss_filtering’ setting is DEPRECATED and kept +solely for backwards-compatibility purposes. XSS escaping should +be performed on output, not input!

+
+
+
+
+

Accessing form data

+
+

Using POST, GET, COOKIE, or SERVER Data

+

CodeIgniter comes with helper methods that let you fetch POST, GET, +COOKIE or SERVER items. The main advantage of using the provided +methods rather than fetching an item directly ($_POST['something']) +is that the methods will check to see if the item is set and return +NULL if not. This lets you conveniently use data without +having to test whether an item exists first. In other words, normally +you might do something like this:

+
$something = isset($_POST['something']) ? $_POST['something'] : NULL;
+
+
+

With CodeIgniter’s built in methods you can simply do this:

+
$something = $this->input->post('something');
+
+
+

The main methods are:

+
    +
  • $this->input->post()
  • +
  • $this->input->get()
  • +
  • $this->input->cookie()
  • +
  • $this->input->server()
  • +
+
+
+

Using the php://input stream

+

If you want to utilize the PUT, DELETE, PATCH or other exotic request +methods, they can only be accessed via a special input stream, that +can only be read once. This isn’t as easy as just reading from e.g. +the $_POST array, because it will always exist and you can try +and access multiple variables without caring that you might only have +one shot at all of the POST data.

+

CodeIgniter will take care of that for you, and you can read the data +from the php://input stream at any time, just by using the +$raw_input_stream property:

+
$this->input->raw_input_stream;
+
+
+

Additionally if the input stream is form-encoded like $_POST you can +access its values by calling the +input_stream() method:

+
$this->input->input_stream('key');
+
+
+

Similar to other methods such as get() and post(), if the +requested data is not found, it will return NULL and you can also +decide whether to run the data through xss_clean() by passing +a boolean value as the second parameter:

+
$this->input->input_stream('key', TRUE); // XSS Clean
+$this->input->input_stream('key', FALSE); // No XSS filter
+
+
+
+

Note

+

You can utilize method() in order to know if you’re reading +PUT, DELETE or PATCH data.

+
+
+
+
+

Class Reference

+
+
+class CI_Input
+
+
+$raw_input_stream
+

Read only property that will return php://input data as is.

+

The property can be read multiple times.

+
+ +
+
+post([$index = NULL[, $xss_clean = NULL]])
+
+++ + + + + + + + +
Parameters:
    +
  • $index (mixed) – POST parameter name
  • +
  • $xss_clean (bool) – Whether to apply XSS filtering
  • +
+
Returns:

$_POST if no parameters supplied, otherwise the POST value if found or NULL if not

+
Return type:

mixed

+
+

The first parameter will contain the name of the POST item you are +looking for:

+
$this->input->post('some_data');
+
+
+

The method returns NULL if the item you are attempting to retrieve +does not exist.

+

The second optional parameter lets you run the data through the XSS +filter. It’s enabled by setting the second parameter to boolean TRUE +or by setting your $config['global_xss_filtering'] to TRUE.

+
$this->input->post('some_data', TRUE);
+
+
+

To return an array of all POST items call without any parameters.

+

To return all POST items and pass them through the XSS filter set the +first parameter NULL while setting the second parameter to boolean TRUE.

+
$this->input->post(NULL, TRUE); // returns all POST items with XSS filter
+$this->input->post(NULL, FALSE); // returns all POST items without XSS filter
+
+
+

To return an array of multiple POST parameters, pass all the required keys +as an array.

+
$this->input->post(array('field1', 'field2'));
+
+
+

Same rule applied here, to retrieve the parameters with XSS filtering enabled, set the +second parameter to boolean TRUE.

+
$this->input->post(array('field1', 'field2'), TRUE);
+
+
+
+ +
+
+get([$index = NULL[, $xss_clean = NULL]])
+
+++ + + + + + + + +
Parameters:
    +
  • $index (mixed) – GET parameter name
  • +
  • $xss_clean (bool) – Whether to apply XSS filtering
  • +
+
Returns:

$_GET if no parameters supplied, otherwise the GET value if found or NULL if not

+
Return type:

mixed

+
+

This method is identical to post(), only it fetches GET data.

+
$this->input->get('some_data', TRUE);
+
+
+

To return an array of all GET items call without any parameters.

+

To return all GET items and pass them through the XSS filter set the +first parameter NULL while setting the second parameter to boolean TRUE.

+
$this->input->get(NULL, TRUE); // returns all GET items with XSS filter
+$this->input->get(NULL, FALSE); // returns all GET items without XSS filtering
+
+
+

To return an array of multiple GET parameters, pass all the required keys +as an array.

+
$this->input->get(array('field1', 'field2'));
+
+
+

Same rule applied here, to retrieve the parameters with XSS filtering enabled, set the +second parameter to boolean TRUE.

+
$this->input->get(array('field1', 'field2'), TRUE);
+
+
+
+ +
+
+post_get($index[, $xss_clean = NULL])
+
+++ + + + + + + + +
Parameters:
    +
  • $index (string) – POST/GET parameter name
  • +
  • $xss_clean (bool) – Whether to apply XSS filtering
  • +
+
Returns:

POST/GET value if found, NULL if not

+
Return type:

mixed

+
+

This method works pretty much the same way as post() and get(), +only combined. It will search through both POST and GET streams for data, +looking in POST first, and then in GET:

+
$this->input->post_get('some_data', TRUE);
+
+
+
+ +
+
+get_post($index[, $xss_clean = NULL])
+
+++ + + + + + + + +
Parameters:
    +
  • $index (string) – GET/POST parameter name
  • +
  • $xss_clean (bool) – Whether to apply XSS filtering
  • +
+
Returns:

GET/POST value if found, NULL if not

+
Return type:

mixed

+
+

This method works the same way as post_get() only it looks for GET +data first.

+
+
$this->input->get_post(‘some_data’, TRUE);
+
+

Note

+

This method used to act EXACTLY like post_get(), but it’s +behavior has changed in CodeIgniter 3.0.

+
+
+ +
+
+cookie([$index = NULL[, $xss_clean = NULL]])
+
+++ + + + + + + + +
Parameters:
    +
  • $index (mixed) – COOKIE name
  • +
  • $xss_clean (bool) – Whether to apply XSS filtering
  • +
+
Returns:

$_COOKIE if no parameters supplied, otherwise the COOKIE value if found or NULL if not

+
Return type:

mixed

+
+

This method is identical to post() and get(), only it fetches cookie +data:

+
$this->input->cookie('some_cookie');
+$this->input->cookie('some_cookie', TRUE); // with XSS filter
+
+
+

To return an array of multiple cookie values, pass all the required keys +as an array.

+
$this->input->cookie(array('some_cookie', 'some_cookie2'));
+
+
+
+

Note

+

Unlike the Cookie Helper +function get_cookie(), this method does NOT prepend +your configured $config['cookie_prefix'] value.

+
+
+ +
+
+server($index[, $xss_clean = NULL])
+
+++ + + + + + + + +
Parameters:
    +
  • $index (mixed) – Value name
  • +
  • $xss_clean (bool) – Whether to apply XSS filtering
  • +
+
Returns:

$_SERVER item value if found, NULL if not

+
Return type:

mixed

+
+

This method is identical to the post(), get() and cookie() +methods, only it fetches server data ($_SERVER):

+
$this->input->server('some_data');
+
+
+

To return an array of multiple $_SERVER values, pass all the required keys +as an array.

+
$this->input->server(array('SERVER_PROTOCOL', 'REQUEST_URI'));
+
+
+
+ +
+
+input_stream([$index = NULL[, $xss_clean = NULL]])
+
+++ + + + + + + + +
Parameters:
    +
  • $index (mixed) – Key name
  • +
  • $xss_clean (bool) – Whether to apply XSS filtering
  • +
+
Returns:

Input stream array if no parameters supplied, otherwise the specified value if found or NULL if not

+
Return type:

mixed

+
+

This method is identical to get(), post() and cookie(), +only it fetches the php://input stream data.

+
+ +
+ +
+++ + + + + + +
Parameters:
    +
  • $name (mixed) – Cookie name or an array of parameters
  • +
  • $value (string) – Cookie value
  • +
  • $expire (int) – Cookie expiration time in seconds
  • +
  • $domain (string) – Cookie domain
  • +
  • $path (string) – Cookie path
  • +
  • $prefix (string) – Cookie name prefix
  • +
  • $secure (bool) – Whether to only transfer the cookie through HTTPS
  • +
  • $httponly (bool) – Whether to only make the cookie accessible for HTTP requests (no JavaScript)
  • +
+
Return type:

void

+
+

Sets a cookie containing the values you specify. There are two ways to +pass information to this method so that a cookie can be set: Array +Method, and Discrete Parameters:

+

Array Method

+

Using this method, an associative array is passed to the first +parameter:

+
$cookie = array(
+        'name'   => 'The Cookie Name',
+        'value'  => 'The Value',
+        'expire' => '86500',
+        'domain' => '.some-domain.com',
+        'path'   => '/',
+        'prefix' => 'myprefix_',
+        'secure' => TRUE
+);
+
+$this->input->set_cookie($cookie);
+
+
+

Notes

+

Only the name and value are required. To delete a cookie set it with the +expiration blank.

+

The expiration is set in seconds, which will be added to the current +time. Do not include the time, but rather only the number of seconds +from now that you wish the cookie to be valid. If the expiration is +set to zero the cookie will only last as long as the browser is open.

+

For site-wide cookies regardless of how your site is requested, add your +URL to the domain starting with a period, like this: +.your-domain.com

+

The path is usually not needed since the method sets a root path.

+

The prefix is only needed if you need to avoid name collisions with +other identically named cookies for your server.

+

The httponly and secure flags, when omitted, will default to your +$config['cookie_httponly'] and $config['cookie_secure'] settings.

+

Discrete Parameters

+

If you prefer, you can set the cookie by passing data using individual +parameters:

+
$this->input->set_cookie($name, $value, $expire, $domain, $path, $prefix, $secure);
+
+
+
+ +
+
+ip_address()
+
+++ + + + + + +
Returns:Visitor’s IP address or ‘0.0.0.0’ if not valid
Return type:string
+

Returns the IP address for the current user. If the IP address is not +valid, the method will return ‘0.0.0.0’:

+
echo $this->input->ip_address();
+
+
+
+

Important

+

This method takes into account the $config['proxy_ips'] +setting and will return the reported HTTP_X_FORWARDED_FOR, +HTTP_CLIENT_IP, HTTP_X_CLIENT_IP or HTTP_X_CLUSTER_CLIENT_IP +address for the allowed IP addresses.

+
+
+ +
+
+valid_ip($ip[, $which = ''])
+
+++ + + + + + + + +
Parameters:
    +
  • $ip (string) – IP address
  • +
  • $which (string) – IP protocol (‘ipv4’ or ‘ipv6’)
  • +
+
Returns:

TRUE if the address is valid, FALSE if not

+
Return type:

bool

+
+

Takes an IP address as input and returns TRUE or FALSE (boolean) depending +on whether it is valid or not.

+
+

Note

+

The $this->input->ip_address() method above automatically +validates the IP address.

+
+
if ( ! $this->input->valid_ip($ip))
+{
+        echo 'Not Valid';
+}
+else
+{
+        echo 'Valid';
+}
+
+
+

Accepts an optional second string parameter of ‘ipv4’ or ‘ipv6’ to specify +an IP format. The default checks for both formats.

+
+ +
+
+user_agent([$xss_clean = NULL])
+
+++ + + + + + + + +
Returns:

User agent string or NULL if not set

+
Parameters:
    +
  • $xss_clean (bool) – Whether to apply XSS filtering
  • +
+
Return type:

mixed

+
+

Returns the user agent string (web browser) being used by the current user, +or NULL if it’s not available.

+
echo $this->input->user_agent();
+
+
+

See the User Agent Class for methods which extract +information from the user agent string.

+
+ +
+
+request_headers([$xss_clean = FALSE])
+
+++ + + + + + + + +
Parameters:
    +
  • $xss_clean (bool) – Whether to apply XSS filtering
  • +
+
Returns:

An array of HTTP request headers

+
Return type:

array

+
+

Returns an array of HTTP request headers. +Useful if running in a non-Apache environment where +apache_request_headers() +will not be supported.

+
$headers = $this->input->request_headers();
+
+
+
+ +
+
+get_request_header($index[, $xss_clean = FALSE])
+
+++ + + + + + + + +
Parameters:
    +
  • $index (string) – HTTP request header name
  • +
  • $xss_clean (bool) – Whether to apply XSS filtering
  • +
+
Returns:

An HTTP request header or NULL if not found

+
Return type:

string

+
+

Returns a single member of the request headers array or NULL +if the searched header is not found.

+
$this->input->get_request_header('some-header', TRUE);
+
+
+
+ +
+
+is_ajax_request()
+
+++ + + + + + +
Returns:TRUE if it is an Ajax request, FALSE if not
Return type:bool
+

Checks to see if the HTTP_X_REQUESTED_WITH server header has been +set, and returns boolean TRUE if it is or FALSE if not.

+
+ +
+
+is_cli_request()
+
+++ + + + + + +
Returns:TRUE if it is a CLI request, FALSE if not
Return type:bool
+

Checks to see if the application was run from the command-line +interface.

+
+

Note

+

This method checks both the PHP SAPI name currently in use +and if the STDIN constant is defined, which is usually a +failsafe way to see if PHP is being run via the command line.

+
+
$this->input->is_cli_request()
+
+
+
+

Note

+

This method is DEPRECATED and is now just an alias for the +is_cli() function.

+
+
+ +
+
+method([$upper = FALSE])
+
+++ + + + + + + + +
Parameters:
    +
  • $upper (bool) – Whether to return the request method name in upper or lower case
  • +
+
Returns:

HTTP request method

+
Return type:

string

+
+

Returns the $_SERVER['REQUEST_METHOD'], with the option to set it +in uppercase or lowercase.

+
echo $this->input->method(TRUE); // Outputs: POST
+echo $this->input->method(FALSE); // Outputs: post
+echo $this->input->method(); // Outputs: post
+
+
+
+ +
+ +
+
+ + +