Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / 4eaf80a6ec0b58a0adc95638153363e00ebf5378 / . / user_guide_src / source / helpers / security_helper.rst
blob: 103880cf9cc58cdccedafa13997e15db154ba5b8 [file] [log] [blame]
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]1###############
2Security Helper
3###############
4
5The Security Helper file contains security related functions.
6
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]7.. contents::
8 :local:
9
10.. raw:: html
11
12 <div class="custom-index container"></div>
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]13
14Loading this Helper
15===================
16
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]17This helper is loaded using the following code::
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]18
19 $this->load->helper('security');
20
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]21Available Functions
22===================
23
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]24The following functions are available:
25
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]26
Andrey Andreevcd3d9db2015-02-02 13:41:01 +0200[diff] [blame]27.. php:function:: xss_clean($str[, $is_image = FALSE])
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]28
29 :param string $str: Input data
30 :param bool $is_image: Whether we're dealing with an image
Andrey Andreev3de130c2014-02-07 23:31:49 +0200[diff] [blame]31 :returns: XSS-clean string
32 :rtype: string
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]33
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]34 Provides Cross Site Script Hack filtering.
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]35
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]36 This function is an alias for ``CI_Input::xss_clean()``. For more info,
37 please see the :doc:`Input Library <../libraries/input>` documentation.
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]38
Andrey Andreevcd3d9db2015-02-02 13:41:01 +0200[diff] [blame]39.. php:function:: sanitize_filename($filename)
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]40
41 :param string $filename: Filename
Andrey Andreev3de130c2014-02-07 23:31:49 +0200[diff] [blame]42 :returns: Sanitized file name
43 :rtype: string
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]44
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]45 Provides protection against directory traversal.
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]46
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]47 This function is an alias for ``CI_Security::sanitize_filename()``.
48 For more info, please see the :doc:`Security Library <../libraries/security>`
49 documentation.
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]50
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]51
Andrey Andreevcd3d9db2015-02-02 13:41:01 +0200[diff] [blame]52.. php:function:: do_hash($str[, $type = 'sha1'])
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]53
54 :param string $str: Input
55 :param string $type: Algorithm
Andrey Andreev3de130c2014-02-07 23:31:49 +0200[diff] [blame]56 :returns: Hex-formatted hash
57 :rtype: string
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]58
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]59 Permits you to create one way hashes suitable for encrypting
60 passwords. Will use SHA1 by default.
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]61
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]62 See `hash_algos() <http://php.net/function.hash_algos>`_
63 for a full list of supported algorithms.
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]64
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]65 Examples::
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]66
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]67 $str = do_hash($str); // SHA1
68 $str = do_hash($str, 'md5'); // MD5
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]69
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]70 .. note:: This function was formerly named ``dohash()``, which has been
71 removed in favor of ``do_hash()``.
Andrey Andreev0f0b7692012-06-07 14:57:04 +0300[diff] [blame]72
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]73 .. note:: This function is DEPRECATED. Use the native ``hash()`` instead.
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]74
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]75
Andrey Andreevcd3d9db2015-02-02 13:41:01 +0200[diff] [blame]76.. php:function:: strip_image_tags($str)
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]77
Andrey Andreev3de130c2014-02-07 23:31:49 +0200[diff] [blame]78 :param string $str: Input string
79 :returns: The input string with no image tags
80 :rtype: string
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]81
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]82 This is a security function that will strip image tags from a string.
83 It leaves the image URL as plain text.
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]84
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]85 Example::
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]86
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]87 $string = strip_image_tags($string);
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]88
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]89 This function is an alias for ``CI_Security::strip_image_tags()``. For
90 more info, please see the :doc:`Security Library <../libraries/security>`
91 documentation.
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]92
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]93
Andrey Andreevcd3d9db2015-02-02 13:41:01 +0200[diff] [blame]94.. php:function:: encode_php_tags($str)
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]95
Andrey Andreev3de130c2014-02-07 23:31:49 +0200[diff] [blame]96 :param string $str: Input string
97 :returns: Safely formatted string
98 :rtype: string
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]99
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]100 This is a security function that converts PHP tags to entities.
Derek Jones8ede1a22011-10-05 13:34:52 -0500[diff] [blame]101
Andrey Andreevcd3d9db2015-02-02 13:41:01 +0200[diff] [blame]102 .. note:: :php:func:`xss_clean()` does this automatically, if you use it.
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]103
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]104 Example::
Andrey Andreev53b8ef52012-11-08 21:38:53 +0200[diff] [blame]105
Derek Jonesf9491c92013-07-19 16:46:18 -0700[diff] [blame]106 $string = encode_php_tags($string);