Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / 88fd8e4548eb50d8307757b8e37333ded8f221e9 / . / system / core / Input.php
blob: 484397d63cbe9c53c560f99c34bfd3237313ca2c [file] [log] [blame]
Andrey Andreevc5536aa2012-11-01 17:33:58 +0200[diff] [blame]1<?php
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]2/**
3 * CodeIgniter
4 *
Andrey Andreevfe9309d2015-01-09 17:48:58 +0200[diff] [blame]5 * An open source application development framework for PHP
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]6 *
Andrey Andreevbdb96ca2014-10-28 00:13:31 +0200[diff] [blame]7 * This content is released under the MIT License (MIT)
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]8 *
Andrey Andreevfe9309d2015-01-09 17:48:58 +0200[diff] [blame]9 * Copyright (c) 2014 - 2015, British Columbia Institute of Technology
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]10 *
Andrey Andreevbdb96ca2014-10-28 00:13:31 +0200[diff] [blame]11 * Permission is hereby granted, free of charge, to any person obtaining a copy
12 * of this software and associated documentation files (the "Software"), to deal
13 * in the Software without restriction, including without limitation the rights
14 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
15 * copies of the Software, and to permit persons to whom the Software is
16 * furnished to do so, subject to the following conditions:
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]17 *
Andrey Andreevbdb96ca2014-10-28 00:13:31 +0200[diff] [blame]18 * The above copyright notice and this permission notice shall be included in
19 * all copies or substantial portions of the Software.
20 *
21 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
22 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
23 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
24 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
25 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
26 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
27 * THE SOFTWARE.
28 *
29 * @package CodeIgniter
30 * @author EllisLab Dev Team
darwinel871754a2014-02-11 17:34:57 +0100[diff] [blame]31 * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/)
Andrey Andreevfe9309d2015-01-09 17:48:58 +0200[diff] [blame]32 * @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/)
Andrey Andreevbdb96ca2014-10-28 00:13:31 +0200[diff] [blame]33 * @license http://opensource.org/licenses/MIT MIT License
34 * @link http://codeigniter.com
35 * @since Version 1.0.0
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]36 * @filesource
37 */
Andrey Andreevc5536aa2012-11-01 17:33:58 +0200[diff] [blame]38defined('BASEPATH') OR exit('No direct script access allowed');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]39
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]40/**
41 * Input Class
42 *
43 * Pre-processes global input data for security
44 *
45 * @package CodeIgniter
46 * @subpackage Libraries
47 * @category Input
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]48 * @author EllisLab Dev Team
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]49 * @link http://codeigniter.com/user_guide/libraries/input.html
50 */
51class CI_Input {
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]52
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]53 /**
54 * IP address of the current user
55 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]56 * @var string
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]57 */
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]58 public $ip_address = FALSE;
Andrey Andreev92ebfb62012-05-17 12:49:24 +0300[diff] [blame]59
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]60 /**
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]61 * Allow GET array flag
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]62 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]63 * If set to FALSE, then $_GET will be set to an empty array.
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]64 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]65 * @var bool
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]66 */
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]67 protected $_allow_get_array = TRUE;
Andrey Andreev92ebfb62012-05-17 12:49:24 +0300[diff] [blame]68
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]69 /**
Andrey Andreevbfb635b2014-01-08 18:32:05 +0200[diff] [blame]70 * Standardize new lines flag
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]71 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]72 * If set to TRUE, then newlines are standardized.
73 *
74 * @var bool
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]75 */
Andrey Andreevefc08e92014-04-15 14:32:52 +0300[diff] [blame]76 protected $_standardize_newlines;
Andrey Andreev92ebfb62012-05-17 12:49:24 +0300[diff] [blame]77
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]78 /**
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]79 * Enable XSS flag
80 *
81 * Determines whether the XSS filter is always active when
82 * GET, POST or COOKIE data is encountered.
83 * Set automatically based on config setting.
84 *
85 * @var bool
86 */
87 protected $_enable_xss = FALSE;
88
89 /**
90 * Enable CSRF flag
91 *
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]92 * Enables a CSRF cookie token to be set.
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]93 * Set automatically based on config setting.
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]94 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]95 * @var bool
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]96 */
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]97 protected $_enable_csrf = FALSE;
Andrey Andreev92ebfb62012-05-17 12:49:24 +0300[diff] [blame]98
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]99 /**
100 * List of all HTTP request headers
101 *
102 * @var array
103 */
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]104 protected $headers = array();
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]105
Andrey Andreevd0ac8b12015-02-27 11:41:52 +0200[diff] [blame]106 /**
107 * Raw input stream data
108 *
109 * Holds a cache of php://input contents
110 *
111 * @var string
112 */
Ignasimgcae95882015-02-26 02:46:14 +0100[diff] [blame]113 protected $_raw_input_stream;
Ignasimgf9fbf112015-02-06 09:21:07 +0100[diff] [blame]114
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]115 /**
Andrey Andreevd0ac8b12015-02-27 11:41:52 +0200[diff] [blame]116 * Parsed input stream data
Andrey Andreev303eef02012-11-06 14:55:48 +0200[diff] [blame]117 *
118 * Parsed from php://input at runtime
119 *
120 * @see CI_Input::input_stream()
121 * @var array
122 */
Andrey Andreevd0ac8b12015-02-27 11:41:52 +0200[diff] [blame]123 protected $_input_stream;
124
Andrey Andreev88fd8e42015-02-27 11:43:01 +0200[diff] [blame^]125 protected $security;
126
Andrey Andreevd0ac8b12015-02-27 11:41:52 +0200[diff] [blame]127 // --------------------------------------------------------------------
Andrey Andreev303eef02012-11-06 14:55:48 +0200[diff] [blame]128
129 /**
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]130 * Class constructor
Greg Akera9263282010-11-10 15:26:43 -0600[diff] [blame]131 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]132 * Determines whether to globally enable the XSS processing
133 * and whether to allow the $_GET array.
Andrey Andreev92ebfb62012-05-17 12:49:24 +0300[diff] [blame]134 *
135 * @return void
Greg Akera9263282010-11-10 15:26:43 -0600[diff] [blame]136 */
137 public function __construct()
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]138 {
Andrey Andreevbfb635b2014-01-08 18:32:05 +0200[diff] [blame]139 $this->_allow_get_array = (config_item('allow_get_array') === TRUE);
140 $this->_enable_xss = (config_item('global_xss_filtering') === TRUE);
141 $this->_enable_csrf = (config_item('csrf_protection') === TRUE);
fabianozenatti523cda32014-03-21 12:13:03 +0100[diff] [blame]142 $this->_standardize_newlines = (bool) config_item('standardize_newlines');
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]143
Andrey Andreevc26b9eb2014-02-24 11:31:36 +0200[diff] [blame]144 $this->security =& load_class('Security', 'core');
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]145
Pascal Krieteaaec1e42011-01-20 00:01:21 -0500[diff] [blame]146 // Do we need the UTF-8 class?
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]147 if (UTF8_ENABLED === TRUE)
148 {
Andrey Andreevc26b9eb2014-02-24 11:31:36 +0200[diff] [blame]149 $this->uni =& load_class('Utf8', 'core');
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]150 }
151
152 // Sanitize global arrays
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]153 $this->_sanitize_globals();
Andrey Andreev90726b82015-01-20 12:39:22 +0200[diff] [blame]154
155 log_message('info', 'Input Class Initialized');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]156 }
157
158 // --------------------------------------------------------------------
159
160 /**
Greg Akera9263282010-11-10 15:26:43 -0600[diff] [blame]161 * Fetch from array
162 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]163 * Internal method used to retrieve values from global arrays.
Greg Akera9263282010-11-10 15:26:43 -0600[diff] [blame]164 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]165 * @param array &$array $_GET, $_POST, $_COOKIE, $_SERVER, etc.
Ahmad Anbarff89a4e2014-12-02 17:26:30 +0200[diff] [blame]166 * @param mixed $index Index for item to be fetched from $array
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]167 * @param bool $xss_clean Whether to apply XSS filtering
168 * @return mixed
Greg Akera9263282010-11-10 15:26:43 -0600[diff] [blame]169 */
Andrey Andreev7c60b122014-02-08 18:47:19 +0200[diff] [blame]170 protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]171 {
Andrey Andreevef29f832014-12-02 18:03:47 +0200[diff] [blame]172 is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
173
Andrey Andreev7c60b122014-02-08 18:47:19 +0200[diff] [blame]174 // If $index is NULL, it means that the whole $array is requested
Andrey Andreevef29f832014-12-02 18:03:47 +0200[diff] [blame]175 isset($index) OR $index = array_keys($array);
176
177 // allow fetching multiple keys at once
178 if (is_array($index))
Andrey Andreev7c60b122014-02-08 18:47:19 +0200[diff] [blame]179 {
180 $output = array();
Andrey Andreev6b3bf4c2014-12-02 18:04:41 +0200[diff] [blame]181 foreach ($index as $key)
Andrey Andreev7c60b122014-02-08 18:47:19 +0200[diff] [blame]182 {
183 $output[$key] = $this->_fetch_from_array($array, $key, $xss_clean);
184 }
185
186 return $output;
187 }
188
nisheeth-barthwala7447d22013-03-21 15:48:10 +0530[diff] [blame]189 if (isset($array[$index]))
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]190 {
nisheeth-barthwala7447d22013-03-21 15:48:10 +0530[diff] [blame]191 $value = $array[$index];
192 }
nisheeth-barthwal47ea5a82013-03-26 18:57:28 +0530[diff] [blame]193 elseif (($count = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $index, $matches)) > 1) // Does the index contain array notation
nisheeth-barthwala7447d22013-03-21 15:48:10 +0530[diff] [blame]194 {
nisheeth-barthwal47ea5a82013-03-26 18:57:28 +0530[diff] [blame]195 $value = $array;
nisheeth-barthwal77236e02013-03-25 23:42:36 +0530[diff] [blame]196 for ($i = 0; $i < $count; $i++)
nisheeth-barthwala7447d22013-03-21 15:48:10 +0530[diff] [blame]197 {
nisheeth-barthwal77236e02013-03-25 23:42:36 +0530[diff] [blame]198 $key = trim($matches[0][$i], '[]');
nisheeth-barthwal408cbb42013-03-26 19:06:40 +0530[diff] [blame]199 if ($key === '') // Empty notation will return the value as array
nisheeth-barthwala7447d22013-03-21 15:48:10 +0530[diff] [blame]200 {
nisheeth-barthwal77236e02013-03-25 23:42:36 +0530[diff] [blame]201 break;
nisheeth-barthwala7447d22013-03-21 15:48:10 +0530[diff] [blame]202 }
nisheeth-barthwal47ea5a82013-03-26 18:57:28 +0530[diff] [blame]203
204 if (isset($value[$key]))
nisheeth-barthwala7447d22013-03-21 15:48:10 +0530[diff] [blame]205 {
nisheeth-barthwal47ea5a82013-03-26 18:57:28 +0530[diff] [blame]206 $value = $value[$key];
nisheeth-barthwal77236e02013-03-25 23:42:36 +0530[diff] [blame]207 }
208 else
209 {
210 return NULL;
nisheeth-barthwala7447d22013-03-21 15:48:10 +0530[diff] [blame]211 }
212 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]213 }
nisheeth-barthwal77236e02013-03-25 23:42:36 +0530[diff] [blame]214 else
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]215 {
nisheeth-barthwal77236e02013-03-25 23:42:36 +0530[diff] [blame]216 return NULL;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]217 }
218
nisheeth-barthwal77236e02013-03-25 23:42:36 +0530[diff] [blame]219 return ($xss_clean === TRUE)
220 ? $this->security->xss_clean($value)
221 : $value;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]222 }
223
224 // --------------------------------------------------------------------
225
226 /**
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]227 * Fetch an item from the GET array
228 *
Ahmad Anbarff89a4e2014-12-02 17:26:30 +0200[diff] [blame]229 * @param mixed $index Index for item to be fetched from $_GET
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]230 * @param bool $xss_clean Whether to apply XSS filtering
231 * @return mixed
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]232 */
Andrey Andreev80a16b12014-01-08 17:19:03 +0200[diff] [blame]233 public function get($index = NULL, $xss_clean = NULL)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]234 {
nisheeth-barthwala5bcfb12013-03-23 10:53:51 +0530[diff] [blame]235 return $this->_fetch_from_array($_GET, $index, $xss_clean);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]236 }
237
238 // --------------------------------------------------------------------
239
240 /**
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]241 * Fetch an item from the POST array
242 *
Ahmad Anbarff89a4e2014-12-02 17:26:30 +0200[diff] [blame]243 * @param mixed $index Index for item to be fetched from $_POST
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]244 * @param bool $xss_clean Whether to apply XSS filtering
245 * @return mixed
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]246 */
Andrey Andreev80a16b12014-01-08 17:19:03 +0200[diff] [blame]247 public function post($index = NULL, $xss_clean = NULL)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]248 {
nisheeth-barthwala5bcfb12013-03-23 10:53:51 +0530[diff] [blame]249 return $this->_fetch_from_array($_POST, $index, $xss_clean);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]250 }
251
252 // --------------------------------------------------------------------
253
254 /**
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]255 * Fetch an item from POST data with fallback to GET
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]256 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]257 * @param string $index Index for item to be fetched from $_POST or $_GET
258 * @param bool $xss_clean Whether to apply XSS filtering
259 * @return mixed
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]260 */
Andrey Andreev7c60b122014-02-08 18:47:19 +0200[diff] [blame]261 public function post_get($index, $xss_clean = NULL)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]262 {
Andrey Andreev9448afb2012-02-08 19:49:19 +0200[diff] [blame]263 return isset($_POST[$index])
nisheeth-barthwala5bcfb12013-03-23 10:53:51 +0530[diff] [blame]264 ? $this->post($index, $xss_clean)
265 : $this->get($index, $xss_clean);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]266 }
267
268 // --------------------------------------------------------------------
269
270 /**
vlakoff441fd262013-08-11 20:36:41 +0200[diff] [blame]271 * Fetch an item from GET data with fallback to POST
272 *
273 * @param string $index Index for item to be fetched from $_GET or $_POST
274 * @param bool $xss_clean Whether to apply XSS filtering
275 * @return mixed
276 */
Andrey Andreev7c60b122014-02-08 18:47:19 +0200[diff] [blame]277 public function get_post($index, $xss_clean = NULL)
vlakoff441fd262013-08-11 20:36:41 +0200[diff] [blame]278 {
279 return isset($_GET[$index])
280 ? $this->get($index, $xss_clean)
281 : $this->post($index, $xss_clean);
282 }
283
284 // --------------------------------------------------------------------
285
286 /**
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]287 * Fetch an item from the COOKIE array
288 *
Ahmad Anbarff89a4e2014-12-02 17:26:30 +0200[diff] [blame]289 * @param mixed $index Index for item to be fetched from $_COOKIE
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]290 * @param bool $xss_clean Whether to apply XSS filtering
291 * @return mixed
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]292 */
Andrey Andreev7c60b122014-02-08 18:47:19 +0200[diff] [blame]293 public function cookie($index = NULL, $xss_clean = NULL)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]294 {
nisheeth-barthwala5bcfb12013-03-23 10:53:51 +0530[diff] [blame]295 return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]296 }
297
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]298 // --------------------------------------------------------------------
299
300 /**
301 * Fetch an item from the SERVER array
302 *
Ahmad Anbarff89a4e2014-12-02 17:26:30 +0200[diff] [blame]303 * @param mixed $index Index for item to be fetched from $_SERVER
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]304 * @param bool $xss_clean Whether to apply XSS filtering
305 * @return mixed
306 */
Andrey Andreev7c60b122014-02-08 18:47:19 +0200[diff] [blame]307 public function server($index, $xss_clean = NULL)
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]308 {
309 return $this->_fetch_from_array($_SERVER, $index, $xss_clean);
310 }
311
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]312 // ------------------------------------------------------------------------
313
314 /**
Andrey Andreev303eef02012-11-06 14:55:48 +0200[diff] [blame]315 * Fetch an item from the php://input stream
316 *
317 * Useful when you need to access PUT, DELETE or PATCH request data.
318 *
319 * @param string $index Index for item to be fetched
320 * @param bool $xss_clean Whether to apply XSS filtering
321 * @return mixed
322 */
Andrey Andreev7c60b122014-02-08 18:47:19 +0200[diff] [blame]323 public function input_stream($index = NULL, $xss_clean = NULL)
Andrey Andreev303eef02012-11-06 14:55:48 +0200[diff] [blame]324 {
Andrey Andreevdc134a82014-05-08 10:00:55 +0300[diff] [blame]325 // Prior to PHP 5.6, the input stream can only be read once,
326 // so we'll need to check if we have already done that first.
Andrey Andreev303eef02012-11-06 14:55:48 +0200[diff] [blame]327 if ( ! is_array($this->_input_stream))
328 {
Ignasimgcae95882015-02-26 02:46:14 +0100[diff] [blame]329 // $this->raw_input_stream will trigger __get().
Ignasimg0b5569f2015-02-20 17:56:55 +0100[diff] [blame]330 parse_str($this->raw_input_stream, $this->_input_stream);
Andrey Andreev7c60b122014-02-08 18:47:19 +0200[diff] [blame]331 is_array($this->_input_stream) OR $this->_input_stream = array();
Andrey Andreev303eef02012-11-06 14:55:48 +0200[diff] [blame]332 }
333
334 return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean);
335 }
336
337 // ------------------------------------------------------------------------
338
339 /**
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]340 * Set cookie
341 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]342 * Accepts an arbitrary number of parameters (up to 7) or an associative
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]343 * array in the first parameter containing all the values.
344 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]345 * @param string|mixed[] $name Cookie name or an array containing parameters
346 * @param string $value Cookie value
347 * @param int $expire Cookie expiration time in seconds
348 * @param string $domain Cookie domain (e.g.: '.yourdomain.com')
349 * @param string $path Cookie path (default: '/')
350 * @param string $prefix Cookie name prefix
351 * @param bool $secure Whether to only transfer cookies via SSL
352 * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript)
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]353 * @return void
354 */
Andrey Andreev8f5420b2014-01-06 10:34:23 +0200[diff] [blame]355 public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE, $httponly = FALSE)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]356 {
357 if (is_array($name))
358 {
tobiasbg9aa7dc92011-02-18 21:57:13 +0100[diff] [blame]359 // always leave 'name' in last place, as the loop will break otherwise, due to $$item
freewil4ad0fd82012-03-13 22:37:42 -0400[diff] [blame]360 foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]361 {
362 if (isset($name[$item]))
363 {
364 $$item = $name[$item];
365 }
366 }
367 }
368
Alex Bilbieed944a32012-06-02 11:07:47 +0100[diff] [blame]369 if ($prefix === '' && config_item('cookie_prefix') !== '')
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]370 {
371 $prefix = config_item('cookie_prefix');
372 }
Andrey Andreev9ba661b2012-06-04 14:44:34 +0300[diff] [blame]373
374 if ($domain == '' && config_item('cookie_domain') != '')
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]375 {
376 $domain = config_item('cookie_domain');
377 }
Andrey Andreev9ba661b2012-06-04 14:44:34 +0300[diff] [blame]378
Alex Bilbieed944a32012-06-02 11:07:47 +0100[diff] [blame]379 if ($path === '/' && config_item('cookie_path') !== '/')
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]380 {
381 $path = config_item('cookie_path');
382 }
Andrey Andreev9ba661b2012-06-04 14:44:34 +0300[diff] [blame]383
Andrey Andreevd444d442014-10-06 00:00:08 +0300[diff] [blame]384 if ($secure === FALSE && config_item('cookie_secure') === TRUE)
tobiasbg9aa7dc92011-02-18 21:57:13 +0100[diff] [blame]385 {
386 $secure = config_item('cookie_secure');
387 }
Andrey Andreev9ba661b2012-06-04 14:44:34 +0300[diff] [blame]388
Alex Bilbieed944a32012-06-02 11:07:47 +0100[diff] [blame]389 if ($httponly === FALSE && config_item('cookie_httponly') !== FALSE)
freewil4ad0fd82012-03-13 22:37:42 -0400[diff] [blame]390 {
391 $httponly = config_item('cookie_httponly');
392 }
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]393
394 if ( ! is_numeric($expire))
395 {
396 $expire = time() - 86500;
397 }
398 else
399 {
Phil Sturgeonc8089152010-12-27 19:06:28 +0000[diff] [blame]400 $expire = ($expire > 0) ? time() + $expire : 0;
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]401 }
402
freewil4ad0fd82012-03-13 22:37:42 -0400[diff] [blame]403 setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly);
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]404 }
405
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]406 // --------------------------------------------------------------------
407
408 /**
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]409 * Fetch the IP Address
410 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]411 * Determines and validates the visitor's IP address.
412 *
413 * @return string IP address
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]414 */
Bo-Yi Wu4db872f2011-09-12 10:52:37 +0800[diff] [blame]415 public function ip_address()
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]416 {
417 if ($this->ip_address !== FALSE)
418 {
419 return $this->ip_address;
420 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]421
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]422 $proxy_ips = config_item('proxy_ips');
Andrey Andreevea7a8662012-10-09 13:36:31 +0300[diff] [blame]423 if ( ! empty($proxy_ips) && ! is_array($proxy_ips))
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]424 {
425 $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips));
426 }
Andrey Andreev5b92ae12012-10-04 13:05:03 +0300[diff] [blame]427
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]428 $this->ip_address = $this->server('REMOTE_ADDR');
429
430 if ($proxy_ips)
431 {
432 foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header)
Jordan Pittman8960acf2012-07-23 09:05:49 -0300[diff] [blame]433 {
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]434 if (($spoof = $this->server($header)) !== NULL)
Jordan Pittman8960acf2012-07-23 09:05:49 -0300[diff] [blame]435 {
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]436 // Some proxies typically list the whole chain of IP
437 // addresses through which the client has reached us.
438 // e.g. client_ip, proxy_ip1, proxy_ip2, etc.
Andrey Andreeve24eed72012-11-02 23:33:45 +0200[diff] [blame]439 sscanf($spoof, '%[^,]', $spoof);
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]440
441 if ( ! $this->valid_ip($spoof))
442 {
443 $spoof = NULL;
444 }
445 else
446 {
Jordan Pittmana5a71352012-07-20 19:36:43 -0300[diff] [blame]447 break;
448 }
449 }
Andrey Andreev5b92ae12012-10-04 13:05:03 +0300[diff] [blame]450 }
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]451
Andrey Andreeve45ad2b2012-10-09 13:11:15 +0300[diff] [blame]452 if ($spoof)
Andrey Andreev5b92ae12012-10-04 13:05:03 +0300[diff] [blame]453 {
Andrey Andreev9df35b42012-10-09 13:37:58 +0300[diff] [blame]454 for ($i = 0, $c = count($proxy_ips); $i < $c; $i++)
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]455 {
456 // Check if we have an IP address or a subnet
457 if (strpos($proxy_ips[$i], '/') === FALSE)
458 {
459 // An IP address (and not a subnet) is specified.
460 // We can compare right away.
461 if ($proxy_ips[$i] === $this->ip_address)
462 {
463 $this->ip_address = $spoof;
464 break;
465 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]466
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]467 continue;
468 }
469
470 // We have a subnet ... now the heavy lifting begins
471 isset($separator) OR $separator = $this->valid_ip($this->ip_address, 'ipv6') ? ':' : '.';
472
473 // If the proxy entry doesn't match the IP protocol - skip it
474 if (strpos($proxy_ips[$i], $separator) === FALSE)
475 {
476 continue;
477 }
478
479 // Convert the REMOTE_ADDR IP address to binary, if needed
Andrey Andreev82d2cf12012-10-13 12:38:42 +0300[diff] [blame]480 if ( ! isset($ip, $sprintf))
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]481 {
482 if ($separator === ':')
483 {
484 // Make sure we're have the "full" IPv6 format
Andrey Andreev82d2cf12012-10-13 12:38:42 +0300[diff] [blame]485 $ip = explode(':',
486 str_replace('::',
487 str_repeat(':', 9 - substr_count($this->ip_address, ':')),
488 $this->ip_address
489 )
490 );
491
492 for ($i = 0; $i < 8; $i++)
493 {
494 $ip[$i] = intval($ip[$i], 16);
495 }
496
497 $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b';
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]498 }
499 else
500 {
Andrey Andreev82d2cf12012-10-13 12:38:42 +0300[diff] [blame]501 $ip = explode('.', $this->ip_address);
502 $sprintf = '%08b%08b%08b%08b';
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]503 }
504
Andrey Andreev82d2cf12012-10-13 12:38:42 +0300[diff] [blame]505 $ip = vsprintf($sprintf, $ip);
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]506 }
507
508 // Split the netmask length off the network address
Andrey Andreeve24eed72012-11-02 23:33:45 +0200[diff] [blame]509 sscanf($proxy_ips[$i], '%[^/]/%d', $netaddr, $masklen);
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]510
511 // Again, an IPv6 address is most likely in a compressed form
512 if ($separator === ':')
513 {
Andrey Andreev82d2cf12012-10-13 12:38:42 +0300[diff] [blame]514 $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr));
515 for ($i = 0; $i < 8; $i++)
516 {
517 $netaddr[$i] = intval($netaddr[$i], 16);
518 }
519 }
520 else
521 {
522 $netaddr = explode('.', $netaddr);
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]523 }
524
Andrey Andreev82d2cf12012-10-13 12:38:42 +0300[diff] [blame]525 // Convert to binary and finally compare
526 if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0)
Andrey Andreev9ac557f2012-10-06 20:27:57 +0300[diff] [blame]527 {
528 $this->ip_address = $spoof;
529 break;
530 }
531 }
532 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]533 }
534
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]535 if ( ! $this->valid_ip($this->ip_address))
536 {
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]537 return $this->ip_address = '0.0.0.0';
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]538 }
539
540 return $this->ip_address;
541 }
542
543 // --------------------------------------------------------------------
544
545 /**
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]546 * Validate IP Address
547 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]548 * @param string $ip IP address
549 * @param string $which IP protocol: 'ipv4' or 'ipv6'
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]550 * @return bool
551 */
Andrey Andreev5a257182012-06-10 06:18:14 +0300[diff] [blame]552 public function valid_ip($ip, $which = '')
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]553 {
Andrey Andreev5a257182012-06-10 06:18:14 +0300[diff] [blame]554 switch (strtolower($which))
555 {
556 case 'ipv4':
557 $which = FILTER_FLAG_IPV4;
558 break;
559 case 'ipv6':
560 $which = FILTER_FLAG_IPV6;
561 break;
562 default:
563 $which = NULL;
564 break;
565 }
566
567 return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]568 }
569
570 // --------------------------------------------------------------------
571
572 /**
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]573 * Fetch User Agent string
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]574 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]575 * @return string|null User Agent string or NULL if it doesn't exist
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]576 */
Andrey Andreev8850e372014-02-27 21:56:06 +0200[diff] [blame]577 public function user_agent($xss_clean = NULL)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]578 {
Andrey Andreev8850e372014-02-27 21:56:06 +0200[diff] [blame]579 return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]580 }
581
582 // --------------------------------------------------------------------
583
584 /**
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]585 * Sanitize Globals
586 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]587 * Internal method serving for the following purposes:
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]588 *
Andrey Andreevb78a8c72014-04-15 17:21:16 +0300[diff] [blame]589 * - Unsets $_GET data, if query strings are not enabled
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]590 * - Cleans POST, COOKIE and SERVER data
591 * - Standardizes newline characters to PHP_EOL
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]592 *
593 * @return void
594 */
Andrey Andreev90cfe142012-01-08 04:46:42 +0200[diff] [blame]595 protected function _sanitize_globals()
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]596 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]597 // Is $_GET data allowed? If not we'll set the $_GET to an empty array
Alex Bilbieed944a32012-06-02 11:07:47 +0100[diff] [blame]598 if ($this->_allow_get_array === FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]599 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]600 $_GET = array();
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]601 }
Andrey Andreev9448afb2012-02-08 19:49:19 +0200[diff] [blame]602 elseif (is_array($_GET) && count($_GET) > 0)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]603 {
Andrey Andreev9448afb2012-02-08 19:49:19 +0200[diff] [blame]604 foreach ($_GET as $key => $val)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]605 {
Andrey Andreev9448afb2012-02-08 19:49:19 +0200[diff] [blame]606 $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]607 }
608 }
609
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]610 // Clean $_POST Data
Andrey Andreev9448afb2012-02-08 19:49:19 +0200[diff] [blame]611 if (is_array($_POST) && count($_POST) > 0)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]612 {
Pascal Kriete5d5895f2011-02-14 13:27:07 -0500[diff] [blame]613 foreach ($_POST as $key => $val)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]614 {
615 $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
616 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]617 }
618
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]619 // Clean $_COOKIE Data
Andrey Andreev9448afb2012-02-08 19:49:19 +0200[diff] [blame]620 if (is_array($_COOKIE) && count($_COOKIE) > 0)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]621 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]622 // Also get rid of specially treated cookies that might be set by a server
623 // or silly application, that are of no use to a CI application anyway
624 // but that when present will trip our 'Disallowed Key Characters' alarm
625 // http://www.ietf.org/rfc/rfc2109.txt
626 // note that the key names below are single quoted strings, and are not PHP variables
Andrey Andreev5ac428b2014-01-08 16:07:31 +0200[diff] [blame]627 unset(
628 $_COOKIE['$Version'],
629 $_COOKIE['$Path'],
630 $_COOKIE['$Domain']
631 );
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]632
Pascal Kriete5d5895f2011-02-14 13:27:07 -0500[diff] [blame]633 foreach ($_COOKIE as $key => $val)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]634 {
Andrey Andreevfd0aabb2013-09-23 13:18:20 +0300[diff] [blame]635 if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE)
636 {
637 $_COOKIE[$cookie_key] = $this->_clean_input_data($val);
638 }
639 else
640 {
641 unset($_COOKIE[$key]);
642 }
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]643 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]644 }
645
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]646 // Sanitize PHP_SELF
647 $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
648
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]649 // CSRF Protection check
Andrey Andreevf964b162013-11-12 17:04:55 +0200[diff] [blame]650 if ($this->_enable_csrf === TRUE && ! is_cli())
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]651 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]652 $this->security->csrf_verify();
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]653 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]654
Andrey Andreevfd0aabb2013-09-23 13:18:20 +0300[diff] [blame]655 log_message('debug', 'Global POST, GET and COOKIE data sanitized');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]656 }
657
658 // --------------------------------------------------------------------
659
660 /**
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]661 * Clean Input Data
662 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]663 * Internal method that aids in escaping data and
664 * standardizing newline characters to PHP_EOL.
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]665 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]666 * @param string|string[] $str Input string(s)
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]667 * @return string
668 */
Andrey Andreev90cfe142012-01-08 04:46:42 +0200[diff] [blame]669 protected function _clean_input_data($str)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]670 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]671 if (is_array($str))
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]672 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]673 $new_array = array();
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]674 foreach (array_keys($str) as $key)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]675 {
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]676 $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]);
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]677 }
678 return $new_array;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]679 }
680
Andrey Andreevaf728622011-10-20 10:11:59 +0300[diff] [blame]681 /* We strip slashes if magic quotes is on to keep things consistent
682
683 NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and
684 it will probably not exist in future versions at all.
685 */
686 if ( ! is_php('5.4') && get_magic_quotes_gpc())
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]687 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]688 $str = stripslashes($str);
689 }
690
691 // Clean UTF-8 if supported
692 if (UTF8_ENABLED === TRUE)
693 {
694 $str = $this->uni->clean_string($str);
695 }
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]696
Pascal Kriete14a0ac62011-04-05 14:55:56 -0400[diff] [blame]697 // Remove control characters
Andrey Andreev5ac428b2014-01-08 16:07:31 +0200[diff] [blame]698 $str = remove_invisible_characters($str, FALSE);
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]699
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]700 // Standardize newlines if needed
Eric Robertsb75e13d2013-01-27 20:10:09 -0600[diff] [blame]701 if ($this->_standardize_newlines === TRUE)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]702 {
Eric Robertsb75e13d2013-01-27 20:10:09 -0600[diff] [blame]703 return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]704 }
705
706 return $str;
707 }
708
709 // --------------------------------------------------------------------
710
711 /**
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]712 * Clean Keys
713 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]714 * Internal method that helps to prevent malicious users
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]715 * from trying to exploit keys we make sure that keys are
716 * only named with alpha-numeric text and a few other items.
717 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]718 * @param string $str Input string
Ä°rfan Evrensd02a69a2015-02-06 20:53:22 +0200[diff] [blame]719 * @param bool $fatal Whether to terminate script exection
Andrey Andreevfd0aabb2013-09-23 13:18:20 +0300[diff] [blame]720 * or to return FALSE if an invalid
721 * key is encountered
722 * @return string|bool
Timothy Warren40403d22012-04-19 16:38:50 -0400[diff] [blame]723 */
Andrey Andreevfd0aabb2013-09-23 13:18:20 +0300[diff] [blame]724 protected function _clean_input_keys($str, $fatal = TRUE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]725 {
bigCat3c0846b2012-08-21 00:20:20 +0800[diff] [blame]726 if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str))
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]727 {
Andrey Andreevfd0aabb2013-09-23 13:18:20 +0300[diff] [blame]728 if ($fatal === TRUE)
729 {
730 return FALSE;
731 }
732 else
733 {
734 set_status_header(503);
735 echo 'Disallowed Key Characters.';
Andrey Andreev7cf682a2014-03-13 14:55:45 +0200[diff] [blame]736 exit(7); // EXIT_USER_INPUT
Andrey Andreevfd0aabb2013-09-23 13:18:20 +0300[diff] [blame]737 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]738 }
739
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]740 // Clean UTF-8 if supported
741 if (UTF8_ENABLED === TRUE)
742 {
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]743 return $this->uni->clean_string($str);
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]744 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]745
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]746 return $str;
747 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]748
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]749 // --------------------------------------------------------------------
750
751 /**
752 * Request Headers
753 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]754 * @param bool $xss_clean Whether to apply XSS filtering
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]755 * @return array
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]756 */
757 public function request_headers($xss_clean = FALSE)
758 {
CJ71cff1d2013-04-16 21:50:55 +0800[diff] [blame]759 // If header is already defined, return it immediately
760 if ( ! empty($this->headers))
761 {
762 return $this->headers;
763 }
764
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]765 // In Apache, you can simply call apache_request_headers()
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]766 if (function_exists('apache_request_headers'))
767 {
CJ71cff1d2013-04-16 21:50:55 +0800[diff] [blame]768 return $this->headers = apache_request_headers();
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]769 }
CJd195f222013-04-17 01:04:13 +0800[diff] [blame]770
CJ8347f912013-04-17 21:45:22 +0800[diff] [blame]771 $this->headers['Content-Type'] = isset($_SERVER['CONTENT_TYPE']) ? $_SERVER['CONTENT_TYPE'] : @getenv('CONTENT_TYPE');
CJd195f222013-04-17 01:04:13 +0800[diff] [blame]772
773 foreach ($_SERVER as $key => $val)
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]774 {
CJd195f222013-04-17 01:04:13 +0800[diff] [blame]775 if (sscanf($key, 'HTTP_%s', $header) === 1)
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]776 {
CJd195f222013-04-17 01:04:13 +0800[diff] [blame]777 // take SOME_HEADER and turn it into Some-Header
778 $header = str_replace('_', ' ', strtolower($header));
779 $header = str_replace(' ', '-', ucwords($header));
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]780
CJd195f222013-04-17 01:04:13 +0800[diff] [blame]781 $this->headers[$header] = $this->_fetch_from_array($_SERVER, $key, $xss_clean);
CJ826990f2013-04-16 14:17:53 +0800[diff] [blame]782 }
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]783 }
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]784
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]785 return $this->headers;
786 }
787
788 // --------------------------------------------------------------------
789
790 /**
791 * Get Request Header
792 *
793 * Returns the value of a single member of the headers class member
794 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]795 * @param string $index Header name
796 * @param bool $xss_clean Whether to apply XSS filtering
Adriano Rosaf112e4a2014-10-03 13:15:46 -0300[diff] [blame]797 * @return string|null The requested header on success or NULL on failure
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]798 */
799 public function get_request_header($index, $xss_clean = FALSE)
800 {
801 if (empty($this->headers))
802 {
803 $this->request_headers();
804 }
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]805
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]806 if ( ! isset($this->headers[$index]))
807 {
Phil Sturgeon55a6ddb2012-05-23 18:37:24 +0100[diff] [blame]808 return NULL;
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]809 }
810
Andrey Andreev9448afb2012-02-08 19:49:19 +0200[diff] [blame]811 return ($xss_clean === TRUE)
812 ? $this->security->xss_clean($this->headers[$index])
813 : $this->headers[$index];
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]814 }
815
Greg Aker081ac9d2010-11-22 14:42:53 -0600[diff] [blame]816 // --------------------------------------------------------------------
Phil Sturgeonc3828712011-01-19 12:31:47 +0000[diff] [blame]817
Greg Aker081ac9d2010-11-22 14:42:53 -0600[diff] [blame]818 /**
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]819 * Is AJAX request?
Greg Aker081ac9d2010-11-22 14:42:53 -0600[diff] [blame]820 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]821 * Test to see if a request contains the HTTP_X_REQUESTED_WITH header.
Greg Aker081ac9d2010-11-22 14:42:53 -0600[diff] [blame]822 *
Andrey Andreev9448afb2012-02-08 19:49:19 +0200[diff] [blame]823 * @return bool
Greg Aker081ac9d2010-11-22 14:42:53 -0600[diff] [blame]824 */
825 public function is_ajax_request()
826 {
Andrey Andreev9448afb2012-02-08 19:49:19 +0200[diff] [blame]827 return ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest');
Greg Aker081ac9d2010-11-22 14:42:53 -0600[diff] [blame]828 }
829
Phil Sturgeonc3828712011-01-19 12:31:47 +0000[diff] [blame]830 // --------------------------------------------------------------------
831
832 /**
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]833 * Is CLI request?
Phil Sturgeonc3828712011-01-19 12:31:47 +0000[diff] [blame]834 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]835 * Test to see if a request was made from the command line.
Phil Sturgeonc3828712011-01-19 12:31:47 +0000[diff] [blame]836 *
Andrey Andreevf964b162013-11-12 17:04:55 +0200[diff] [blame]837 * @deprecated 3.0.0 Use is_cli() instead
838 * @return bool
Phil Sturgeonc3828712011-01-19 12:31:47 +0000[diff] [blame]839 */
840 public function is_cli_request()
841 {
Andrey Andreevf964b162013-11-12 17:04:55 +0200[diff] [blame]842 return is_cli();
Phil Sturgeonc3828712011-01-19 12:31:47 +0000[diff] [blame]843 }
844
Michiel Vugteveenbe0ca262012-03-07 19:09:51 +0100[diff] [blame]845 // --------------------------------------------------------------------
846
847 /**
848 * Get Request Method
849 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]850 * Return the request method
Michiel Vugteveenbe0ca262012-03-07 19:09:51 +0100[diff] [blame]851 *
Andrey Andreev1887ec62012-10-27 16:22:07 +0300[diff] [blame]852 * @param bool $upper Whether to return in upper or lower case
853 * (default: FALSE)
854 * @return string
Michiel Vugteveenbe0ca262012-03-07 19:09:51 +0100[diff] [blame]855 */
Michiel Vugteveen704fb162012-03-07 20:42:33 +0100[diff] [blame]856 public function method($upper = FALSE)
Michiel Vugteveenbe0ca262012-03-07 19:09:51 +0100[diff] [blame]857 {
Michiel Vugteveendc900df2012-03-07 20:41:37 +0100[diff] [blame]858 return ($upper)
859 ? strtoupper($this->server('REQUEST_METHOD'))
860 : strtolower($this->server('REQUEST_METHOD'));
Michiel Vugteveenbe0ca262012-03-07 19:09:51 +0100[diff] [blame]861 }
862
Andrey Andreevd0ac8b12015-02-27 11:41:52 +0200[diff] [blame]863 // ------------------------------------------------------------------------
864
865 /**
866 * Magic __get()
867 *
868 * Allows read access to protected properties
869 *
870 * @param string $name
871 * @return mixed
872 */
873 public function __get($name)
874 {
875 if ($name === 'raw_input_stream')
876 {
877 isset($this->_raw_input_stream) OR $this->_raw_input_stream = file_get_contents('php://input');
878 return $this->_raw_input_stream;
879 }
880 }
881
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]882}