summaryrefslogtreecommitdiffstats
path: root/user_guide/libraries/input.html
blob: 59198a24562e393aa7e7dbd321151ba9bfec015f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Input Class : CodeIgniter User Guide</title>

<style type='text/css' media='all'>@import url('../userguide.css');</style>
<link rel='stylesheet' type='text/css' media='all' href='../userguide.css' />

<script type="text/javascript" src="../nav/nav.js"></script>
<script type="text/javascript" src="../nav/prototype.lite.js"></script>
<script type="text/javascript" src="../nav/moo.fx.js"></script>
<script type="text/javascript" src="../nav/user_guide_menu.js"></script>

<meta http-equiv='expires' content='-1' />
<meta http-equiv= 'pragma' content='no-cache' />
<meta name='robots' content='all' />
<meta name='author' content='ExpressionEngine Dev Team' />
<meta name='description' content='CodeIgniter User Guide' />

</head>
<body>

<!-- START NAVIGATION -->
<div id="nav"><div id="nav_inner"><script type="text/javascript">create_menu('../');</script></div></div>
<div id="nav2"><a name="top"></a><a href="javascript:void(0);" onclick="myHeight.toggle();"><img src="../images/nav_toggle_darker.jpg" width="154" height="43" border="0" title="Toggle Table of Contents" alt="Toggle Table of Contents" /></a></div>
<div id="masthead">
<table cellpadding="0" cellspacing="0" border="0" style="width:100%">
<tr>
<td><h1>CodeIgniter User Guide Version 2.0.0</h1></td>
<td id="breadcrumb_right"><a href="../toc.html">Table of Contents Page</a></td>
</tr>
</table>
</div>
<!-- END NAVIGATION -->


<!-- START BREADCRUMB -->
<table cellpadding="0" cellspacing="0" border="0" style="width:100%">
<tr>
<td id="breadcrumb">
<a href="http://codeigniter.com/">CodeIgniter Home</a> &nbsp;&#8250;&nbsp;
<a href="../index.html">User Guide Home</a> &nbsp;&#8250;&nbsp;
Input and Security Class
</td>
<td id="searchbox"><form method="get" action="http://www.google.com/search"><input type="hidden" name="as_sitesearch" id="as_sitesearch" value="codeigniter.com/user_guide/" />Search User Guide&nbsp; <input type="text" class="input" style="width:200px;" name="q" id="q" size="31" maxlength="255" value="" />&nbsp;<input type="submit" class="submit" name="sa" value="Go" /></form></td>
</tr>
</table>
<!-- END BREADCRUMB -->

<br clear="all" />


<!-- START CONTENT -->
<div id="content">


<h1>Input Class</h1>

<p>The Input Class serves two purposes:</p>

<ol>
<li>It pre-processes global input data for security.</li>
<li>It provides some helper functions for fetching input data and pre-processing it.</li>
</ol>

<p class="important"><strong>Note:</strong> This class is initialized automatically by the system so there is no need to do it manually.</p>


<h2>Security Filtering</h2>

<p>The security filtering function is called automatically when a new <a href="../general/controllers.html">controller</a> is invoked.  It does the following:</p>

<ul>
<li>Destroys the global GET array.  Since CodeIgniter does not utilize GET strings, there is no reason to allow it.</li>
<li>Destroys all global variables in the event register_globals is turned on.</li>
<li>Filters the POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters.</li>
<li>Provides XSS (Cross-site Scripting Hacks) filtering.  This can be enabled globally, or upon request.</li>
<li>Standardizes newline characters to \n</li>
</ul>


<h2>XSS Filtering</h2>

<p>CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter
all POST and COOKIE data that is encountered, or you can run it on a per item basis.  By default it does <strong>not</strong>
run globally since it requires a bit of processing overhead, and since you may not need it in all cases.</p>

<p>The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies
or do other malicious things.  If anything disallowed is encountered it is rendered safe by converting the data to character entities.</p>

<p>
Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.</p>


<p>To filter data through the XSS filter use this function:</p>

<h2>$this->input->xss_clean()</h2>

<p>Here is an usage example:</p>

<code>$data = $this->input->xss_clean($data);</code>

<p>If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your
<kbd>application/config/config.php</kbd> file and setting this:</p>

<code>$config['global_xss_filtering'] = TRUE;</code>

<p>Note: If you use the form validation class, it gives you the option of XSS filtering as well.</p>

<p>An optional second parameter, <dfn>is_image</dfn>, allows this function to be used to test images for potential XSS attacks, useful for file upload security.  When this second parameter is set to <dfn>TRUE</dfn>, instead of returning an altered string, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.</p>

<code>if ($this->input->xss_clean($file, TRUE) === FALSE)<br />
{<br />
&nbsp;&nbsp;&nbsp;&nbsp;// file failed the XSS test<br />
}</code>


<h2>Using POST, COOKIE, or SERVER Data</h2>

<p>CodeIgniter comes with three helper functions that let you fetch POST, COOKIE or SERVER items.  The main advantage of using the provided
functions rather than fetching an item directly ($_POST['something']) is that the functions will check to see if the item is set and
return false (boolean) if not.  This lets you conveniently use data without having to test whether an item exists first.
In other words, normally you might do something like this:</p>

<code>
if ( ! isset($_POST['something']))<br />
{<br />
&nbsp;&nbsp;&nbsp;&nbsp;$something = FALSE;<br />
}<br />
else<br />
{<br />
&nbsp;&nbsp;&nbsp;&nbsp;$something = $_POST['something'];<br />
}</code>

<p>With CodeIgniter's built in functions you can simply do this:</p>

<code>$something = $this->input->post('something');</code>

<p>The three functions are:</p>

<ul>
<li>$this->input->post()</li>
<li>$this->input->cookie()</li>
<li>$this->input->server()</li>
</ul>

<h2>$this->input->post()</h2>

<p>The first parameter will contain the name of the POST item you are looking for:</p>

<code>$this->input->post('some_data');</code>

<p>The function returns FALSE (boolean) if the item you are attempting to retrieve does not exist.</p>

<p>The second optional parameter lets you run the data through the XSS filter.  It's enabled by setting the second parameter to boolean TRUE;</p>

<code>$this->input->post('some_data', TRUE);</code>

<h2>$this->input->get()</h2>

<p>This function is identical to the post function, only it fetches get data:</p>

<code>$this->input->get('some_data', TRUE);</code>

<h2>$this->input->get_post()</h2>

<p>This function will search through both the post and get streams for data, looking first in post, and then in get:</p>

<code>$this->input->get_post('some_data', TRUE);</code>

<h2>$this->input->cookie()</h2>

<p>This function is identical to the post function, only it fetches cookie data:</p>

<code>$this->input->cookie('some_data', TRUE);</code>

<h2>$this->input->server()</h2>

<p>This function is identical to the above functions, only it fetches server data:</p>

<code>$this->input->server('some_data');</code>




<h2>$this->input->ip_address()</h2>
<p>Returns the IP address for the current user.  If the IP address is not valid, the function will return an IP of: 0.0.0.0</p>
<code>echo $this->input->ip_address();</code>


<h2>$this->input->valid_ip(<var>$ip</var>)</h2>

<p>Takes an IP address as input and returns TRUE or FALSE (boolean) if it is valid or not.  Note:  The $this->input->ip_address() function above
validates the IP automatically.</p>

<code>if ( ! $this-&gt;input-&gt;valid_ip($ip))<br />
{<br />
&nbsp;&nbsp;&nbsp;&nbsp; echo 'Not Valid';<br />
}<br />
else<br />
{<br />
&nbsp;&nbsp;&nbsp;&nbsp; echo 'Valid';<br />
}</code>


<h2>$this->input->user_agent()</h2>
<p>Returns the user agent (web browser) being used by the current user. Returns FALSE if it's not available.</p>
<code>echo $this->input->user_agent();</code>




</div>
<!-- END CONTENT -->


<div id="footer">
<p>
Previous Topic:&nbsp;&nbsp;<a href="image_lib.html">Image Manipulation Class</a>
&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
<a href="#top">Top of Page</a>&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
<a href="../index.html">User Guide Home</a>&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
Next Topic:&nbsp;&nbsp;<a href="loader.html">Loader Class</a>
</p>
<p><a href="http://codeigniter.com">CodeIgniter</a> &nbsp;&middot;&nbsp; Copyright &#169; 2006-2010 &nbsp;&middot;&nbsp; <a href="http://ellislab.com/">Ellislab, Inc.</a></p>
</div>

</body>
</html>