Input Class
The Input Class serves two purposes:
- It pre-processes global input data for security.
- It provides some helper functions for fetching input data and pre-processing it.
Note: This class is initialized automatically by the system so there is no need to do it manually.
Security Filtering
The security filtering function is called automatically when a new controller is invoked. It does the following:
- Destroys the global GET array. Since CodeIgniter does not utilize GET strings, there is no reason to allow it.
- Destroys all global variables in the event register_globals is turned on.
- Filters the POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters.
- Provides XSS (Cross-site Scripting Hacks) filtering. This can be enabled globally, or upon request.
- Standardizes newline characters to \n
XSS Filtering
CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since you may not need it in all cases.
The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.
Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.
To filter data through the XSS filter use this function:
$this->input->xss_clean()
Here is an usage example:
$data = $this->input->xss_clean($data);
If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this:
$config['global_xss_filtering'] = TRUE;
Note: If you use the form validation class, it gives you the option of XSS filtering as well.
An optional second parameter, is_image, allows this function to be used to test images for potential XSS attacks, useful for file upload security. When this second parameter is set to TRUE, instead of returning an altered string, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.
if ($this->input->xss_clean($file, TRUE) === FALSE)
{
// file failed the XSS test
}
Using POST, COOKIE, or SERVER Data
CodeIgniter comes with three helper functions that let you fetch POST, COOKIE or SERVER items. The main advantage of using the provided functions rather than fetching an item directly ($_POST['something']) is that the functions will check to see if the item is set and return false (boolean) if not. This lets you conveniently use data without having to test whether an item exists first. In other words, normally you might do something like this:
if ( ! isset($_POST['something']))
{
$something = FALSE;
}
else
{
$something = $_POST['something'];
}
With CodeIgniter's built in functions you can simply do this:
$something = $this->input->post('something');
The three functions are:
- $this->input->post()
- $this->input->cookie()
- $this->input->server()
$this->input->post()
The first parameter will contain the name of the POST item you are looking for:
$this->input->post('some_data');
The function returns FALSE (boolean) if the item you are attempting to retrieve does not exist.
The second optional parameter lets you run the data through the XSS filter. It's enabled by setting the second parameter to boolean TRUE;
$this->input->post('some_data', TRUE);
$this->input->get()
This function is identical to the post function, only it fetches get data:
$this->input->get('some_data', TRUE);
$this->input->get_post()
This function will search through both the post and get streams for data, looking first in post, and then in get:
$this->input->get_post('some_data', TRUE);
$this->input->cookie()
This function is identical to the post function, only it fetches cookie data:
$this->input->cookie('some_data', TRUE);
$this->input->server()
This function is identical to the above functions, only it fetches server data:
$this->input->server('some_data');
$this->input->ip_address()
Returns the IP address for the current user. If the IP address is not valid, the function will return an IP of: 0.0.0.0
echo $this->input->ip_address();
$this->input->valid_ip($ip)
Takes an IP address as input and returns TRUE or FALSE (boolean) if it is valid or not. Note: The $this->input->ip_address() function above validates the IP automatically.
if ( ! $this->input->valid_ip($ip))
{
echo 'Not Valid';
}
else
{
echo 'Valid';
}
$this->input->user_agent()
Returns the user agent (web browser) being used by the current user. Returns FALSE if it's not available.
echo $this->input->user_agent();