Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / 90cfe14b8458a3c84825a741cd750c5a02690f3b / . / system / core / Input.php
blob: 7a16e51abe6ed10df22a9413d8dea14cbddd5aed [file] [log] [blame]
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]1<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]2/**
3 * CodeIgniter
4 *
Greg Aker741de1c2010-11-10 14:52:57 -0600[diff] [blame]5 * An open source application development framework for PHP 5.1.6 or newer
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]6 *
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]7 * NOTICE OF LICENSE
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]8 *
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]9 * Licensed under the Open Software License version 3.0
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]10 *
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]11 * This source file is subject to the Open Software License (OSL 3.0) that is
12 * bundled with this package in the files license.txt / license.rst. It is
13 * also available through the world wide web at this URL:
14 * http://opensource.org/licenses/OSL-3.0
15 * If you did not receive a copy of the license and are unable to obtain it
16 * through the world wide web, please send an email to
17 * licensing@ellislab.com so we can send you a copy immediately.
18 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]19 * @package CodeIgniter
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]20 * @author EllisLab Dev Team
Greg Aker0defe5d2012-01-01 18:46:41 -0600[diff] [blame]21 * @copyright Copyright (c) 2008 - 2012, EllisLab, Inc. (http://ellislab.com/)
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]22 * @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]23 * @link http://codeigniter.com
24 * @since Version 1.0
25 * @filesource
26 */
27
28// ------------------------------------------------------------------------
29
30/**
31 * Input Class
32 *
33 * Pre-processes global input data for security
34 *
35 * @package CodeIgniter
36 * @subpackage Libraries
37 * @category Input
Derek Jonesf4a4bd82011-10-20 12:18:42 -0500[diff] [blame]38 * @author EllisLab Dev Team
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]39 * @link http://codeigniter.com/user_guide/libraries/input.html
40 */
41class CI_Input {
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]42
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]43 /**
44 * IP address of the current user
45 *
46 * @var string
47 */
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]48 public $ip_address = FALSE;
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]49 /**
50 * user agent (web browser) being used by the current user
51 *
52 * @var string
53 */
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]54 public $user_agent = FALSE;
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]55 /**
56 * If FALSE, then $_GET will be set to an empty array
57 *
58 * @var bool
59 */
Andrey Andreev13774972012-01-08 04:30:33 +0200[diff] [blame]60 protected $_allow_get_array = TRUE;
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]61 /**
62 * If TRUE, then newlines are standardized
63 *
64 * @var bool
65 */
Andrey Andreev13774972012-01-08 04:30:33 +0200[diff] [blame]66 protected $_standardize_newlines = TRUE;
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]67 /**
68 * Determines whether the XSS filter is always active when GET, POST or COOKIE data is encountered
69 * Set automatically based on config setting
70 *
71 * @var bool
72 */
Andrey Andreev13774972012-01-08 04:30:33 +0200[diff] [blame]73 protected $_enable_xss = FALSE;
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]74 /**
75 * Enables a CSRF cookie token to be set.
76 * Set automatically based on config setting
77 *
78 * @var bool
79 */
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]80 protected $_enable_csrf = FALSE;
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]81 /**
82 * List of all HTTP request headers
83 *
84 * @var array
85 */
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]86 protected $headers = array();
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]87
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]88 /**
Greg Akera9263282010-11-10 15:26:43 -0600[diff] [blame]89 * Constructor
90 *
91 * Sets whether to globally enable the XSS processing
92 * and whether to allow the $_GET array
Greg Akera9263282010-11-10 15:26:43 -0600[diff] [blame]93 */
94 public function __construct()
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]95 {
Andrey Andreev13774972012-01-08 04:30:33 +0200[diff] [blame]96 log_message('debug', 'Input Class Initialized');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]97
Phil Sturgeonc8089152010-12-27 19:06:28 +0000[diff] [blame]98 $this->_allow_get_array = (config_item('allow_get_array') === TRUE);
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]99 $this->_enable_xss = (config_item('global_xss_filtering') === TRUE);
100 $this->_enable_csrf = (config_item('csrf_protection') === TRUE);
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]101
Pascal Kriete14a0ac62011-04-05 14:55:56 -0400[diff] [blame]102 global $SEC;
103 $this->security =& $SEC;
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]104
Pascal Krieteaaec1e42011-01-20 00:01:21 -0500[diff] [blame]105 // Do we need the UTF-8 class?
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]106 if (UTF8_ENABLED === TRUE)
107 {
108 global $UNI;
109 $this->uni =& $UNI;
110 }
111
112 // Sanitize global arrays
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]113 $this->_sanitize_globals();
114 }
115
116 // --------------------------------------------------------------------
117
118 /**
Greg Akera9263282010-11-10 15:26:43 -0600[diff] [blame]119 * Fetch from array
120 *
121 * This is a helper function to retrieve values from global arrays
122 *
Greg Akera9263282010-11-10 15:26:43 -0600[diff] [blame]123 * @param array
124 * @param string
125 * @param bool
126 * @return string
127 */
Bo-Yi Wu47213792011-09-13 22:44:07 +0800[diff] [blame]128 protected function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]129 {
130 if ( ! isset($array[$index]))
131 {
132 return FALSE;
133 }
134
135 if ($xss_clean === TRUE)
136 {
Pascal Kriete14a0ac62011-04-05 14:55:56 -0400[diff] [blame]137 return $this->security->xss_clean($array[$index]);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]138 }
139
140 return $array[$index];
141 }
142
143 // --------------------------------------------------------------------
144
145 /**
146 * Fetch an item from the GET array
147 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]148 * @param string
149 * @param bool
150 * @return string
151 */
Bo-Yi Wu4db872f2011-09-12 10:52:37 +0800[diff] [blame]152 public function get($index = NULL, $xss_clean = FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]153 {
Phil Sturgeon44f21052011-02-15 21:39:25 +0000[diff] [blame]154 // Check if a field has been provided
155 if ($index === NULL AND ! empty($_GET))
vascopjff1cfa12011-02-13 21:30:19 +0000[diff] [blame]156 {
Phil Sturgeon44f21052011-02-15 21:39:25 +0000[diff] [blame]157 $get = array();
vascopjff1cfa12011-02-13 21:30:19 +0000[diff] [blame]158
159 // loop through the full _GET array
Phil Sturgeon44f21052011-02-15 21:39:25 +0000[diff] [blame]160 foreach (array_keys($_GET) as $key)
vascopjff1cfa12011-02-13 21:30:19 +0000[diff] [blame]161 {
Phil Sturgeon44f21052011-02-15 21:39:25 +0000[diff] [blame]162 $get[$key] = $this->_fetch_from_array($_GET, $key, $xss_clean);
vascopjff1cfa12011-02-13 21:30:19 +0000[diff] [blame]163 }
Phil Sturgeon44f21052011-02-15 21:39:25 +0000[diff] [blame]164 return $get;
vascopjff1cfa12011-02-13 21:30:19 +0000[diff] [blame]165 }
166
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]167 return $this->_fetch_from_array($_GET, $index, $xss_clean);
168 }
169
170 // --------------------------------------------------------------------
171
172 /**
173 * Fetch an item from the POST array
174 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]175 * @param string
176 * @param bool
177 * @return string
178 */
Bo-Yi Wu4db872f2011-09-12 10:52:37 +0800[diff] [blame]179 public function post($index = NULL, $xss_clean = FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]180 {
Phil Sturgeon44f21052011-02-15 21:39:25 +0000[diff] [blame]181 // Check if a field has been provided
182 if ($index === NULL AND ! empty($_POST))
vascopj0ba58b82011-02-06 14:20:21 +0000[diff] [blame]183 {
Phil Sturgeon44f21052011-02-15 21:39:25 +0000[diff] [blame]184 $post = array();
vascopj0ba58b82011-02-06 14:20:21 +0000[diff] [blame]185
Phil Sturgeon44f21052011-02-15 21:39:25 +0000[diff] [blame]186 // Loop through the full _POST array and return it
187 foreach (array_keys($_POST) as $key)
vascopj0ba58b82011-02-06 14:20:21 +0000[diff] [blame]188 {
Phil Sturgeon44f21052011-02-15 21:39:25 +0000[diff] [blame]189 $post[$key] = $this->_fetch_from_array($_POST, $key, $xss_clean);
vascopj0ba58b82011-02-06 14:20:21 +0000[diff] [blame]190 }
Phil Sturgeon44f21052011-02-15 21:39:25 +0000[diff] [blame]191 return $post;
vascopj0ba58b82011-02-06 14:20:21 +0000[diff] [blame]192 }
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]193
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]194 return $this->_fetch_from_array($_POST, $index, $xss_clean);
195 }
196
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]197
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]198 // --------------------------------------------------------------------
199
200 /**
201 * Fetch an item from either the GET array or the POST
202 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]203 * @param string The index key
204 * @param bool XSS cleaning
205 * @return string
206 */
Bo-Yi Wu4db872f2011-09-12 10:52:37 +0800[diff] [blame]207 public function get_post($index = '', $xss_clean = FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]208 {
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]209 return ( ! isset($_POST[$index]))
210 ? $this->get($index, $xss_clean)
211 : $this->post($index, $xss_clean);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]212 }
213
214 // --------------------------------------------------------------------
215
216 /**
217 * Fetch an item from the COOKIE array
218 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]219 * @param string
220 * @param bool
221 * @return string
222 */
Bo-Yi Wu4db872f2011-09-12 10:52:37 +0800[diff] [blame]223 public function cookie($index = '', $xss_clean = FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]224 {
225 return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
226 }
227
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]228 // ------------------------------------------------------------------------
229
230 /**
231 * Set cookie
232 *
233 * Accepts six parameter, or you can submit an associative
234 * array in the first parameter containing all the values.
235 *
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]236 * @param mixed
237 * @param string the value of the cookie
238 * @param string the number of seconds until expiration
Derek Jones37f4b9c2011-07-01 17:56:50 -0500[diff] [blame]239 * @param string the cookie domain. Usually: .yourdomain.com
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]240 * @param string the cookie path
241 * @param string the cookie prefix
Phil Sturgeond8d1e242011-02-16 17:23:16 +0000[diff] [blame]242 * @param bool true makes the cookie secure
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]243 * @return void
244 */
Bo-Yi Wu4db872f2011-09-12 10:52:37 +0800[diff] [blame]245 public function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]246 {
247 if (is_array($name))
248 {
tobiasbg9aa7dc92011-02-18 21:57:13 +0100[diff] [blame]249 // always leave 'name' in last place, as the loop will break otherwise, due to $$item
250 foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'name') as $item)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]251 {
252 if (isset($name[$item]))
253 {
254 $$item = $name[$item];
255 }
256 }
257 }
258
259 if ($prefix == '' AND config_item('cookie_prefix') != '')
260 {
261 $prefix = config_item('cookie_prefix');
262 }
263 if ($domain == '' AND config_item('cookie_domain') != '')
264 {
265 $domain = config_item('cookie_domain');
266 }
267 if ($path == '/' AND config_item('cookie_path') != '/')
268 {
269 $path = config_item('cookie_path');
270 }
tobiasbg9aa7dc92011-02-18 21:57:13 +0100[diff] [blame]271 if ($secure == FALSE AND config_item('cookie_secure') != FALSE)
272 {
273 $secure = config_item('cookie_secure');
274 }
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]275
276 if ( ! is_numeric($expire))
277 {
278 $expire = time() - 86500;
279 }
280 else
281 {
Phil Sturgeonc8089152010-12-27 19:06:28 +0000[diff] [blame]282 $expire = ($expire > 0) ? time() + $expire : 0;
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]283 }
284
Phil Sturgeond8d1e242011-02-16 17:23:16 +0000[diff] [blame]285 setcookie($prefix.$name, $value, $expire, $path, $domain, $secure);
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]286 }
287
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]288 // --------------------------------------------------------------------
289
290 /**
291 * Fetch an item from the SERVER array
292 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]293 * @param string
294 * @param bool
295 * @return string
296 */
Bo-Yi Wu4db872f2011-09-12 10:52:37 +0800[diff] [blame]297 public function server($index = '', $xss_clean = FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]298 {
299 return $this->_fetch_from_array($_SERVER, $index, $xss_clean);
300 }
301
302 // --------------------------------------------------------------------
303
304 /**
305 * Fetch the IP Address
306 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]307 * @return string
308 */
Bo-Yi Wu4db872f2011-09-12 10:52:37 +0800[diff] [blame]309 public function ip_address()
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]310 {
311 if ($this->ip_address !== FALSE)
312 {
313 return $this->ip_address;
314 }
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]315
Derek Jones42b2e172009-02-05 16:59:45 +0000[diff] [blame]316 if (config_item('proxy_ips') != '' && $this->server('HTTP_X_FORWARDED_FOR') && $this->server('REMOTE_ADDR'))
Derek Jonesc5972282009-02-04 21:40:20 +0000[diff] [blame]317 {
Derek Jones42b2e172009-02-05 16:59:45 +0000[diff] [blame]318 $proxies = preg_split('/[\s,]/', config_item('proxy_ips'), -1, PREG_SPLIT_NO_EMPTY);
Derek Jonesc5972282009-02-04 21:40:20 +0000[diff] [blame]319 $proxies = is_array($proxies) ? $proxies : array($proxies);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]320
Derek Jonesc5972282009-02-04 21:40:20 +0000[diff] [blame]321 $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
322 }
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]323 elseif ( ! $this->server('HTTP_CLIENT_IP') AND $this->server('REMOTE_ADDR'))
John Bellone52c10b62011-08-21 11:41:32 -0400[diff] [blame]324 {
325 $this->ip_address = $_SERVER['REMOTE_ADDR'];
326 }
Derek Jonesc5972282009-02-04 21:40:20 +0000[diff] [blame]327 elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]328 {
329 $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
330 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]331 elseif ($this->server('HTTP_CLIENT_IP'))
332 {
333 $this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
334 }
335 elseif ($this->server('HTTP_X_FORWARDED_FOR'))
336 {
337 $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
338 }
339
340 if ($this->ip_address === FALSE)
341 {
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]342 return $this->ip_address = '0.0.0.0';
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]343 }
344
Robin Sowell76b369e2010-03-19 11:15:28 -0400[diff] [blame]345 if (strpos($this->ip_address, ',') !== FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]346 {
347 $x = explode(',', $this->ip_address);
Derek Jonesc5972282009-02-04 21:40:20 +0000[diff] [blame]348 $this->ip_address = trim(end($x));
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]349 }
350
351 if ( ! $this->valid_ip($this->ip_address))
352 {
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]353 return $this->ip_address = '0.0.0.0';
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]354 }
355
356 return $this->ip_address;
357 }
358
359 // --------------------------------------------------------------------
360
361 /**
362 * Validate IP Address
363 *
364 * Updated version suggested by Geert De Deckere
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]365 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]366 * @param string
Bo-Yi Wu013c8952011-09-12 15:03:44 +0800[diff] [blame]367 * @return bool
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]368 */
Bo-Yi Wu4db872f2011-09-12 10:52:37 +0800[diff] [blame]369 public function valid_ip($ip)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]370 {
Bo-Yi Wuc9f84c12011-09-12 10:45:39 +0800[diff] [blame]371 // if php version >= 5.2, use filter_var to check validate ip.
Bo-Yi Wu47213792011-09-13 22:44:07 +0800[diff] [blame]372 if (function_exists('filter_var'))
Bo-Yi Wuc9f84c12011-09-12 10:45:39 +0800[diff] [blame]373 {
374 return (bool) filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
375 }
376
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]377 $ip_segments = explode('.', $ip);
378
379 // Always 4 segments needed
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]380 if (count($ip_segments) !== 4)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]381 {
382 return FALSE;
383 }
384 // IP can not start with 0
385 if ($ip_segments[0][0] == '0')
386 {
387 return FALSE;
388 }
389 // Check each segment
390 foreach ($ip_segments as $segment)
391 {
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]392 // IP segments must be digits and can not be
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]393 // longer than 3 digits or greater then 255
Andrey Andreev90cfe142012-01-08 04:46:42 +0200[diff] [blame^]394 if ($segment == '' OR preg_match('/[^0-9]/', $segment) OR $segment > 255 OR strlen($segment) > 3)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]395 {
396 return FALSE;
397 }
398 }
399
400 return TRUE;
401 }
402
403 // --------------------------------------------------------------------
404
405 /**
406 * User Agent
407 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]408 * @return string
409 */
Bo-Yi Wu4db872f2011-09-12 10:52:37 +0800[diff] [blame]410 public function user_agent()
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]411 {
412 if ($this->user_agent !== FALSE)
413 {
414 return $this->user_agent;
415 }
416
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]417 return $this->user_agent = ( ! isset($_SERVER['HTTP_USER_AGENT'])) ? FALSE : $_SERVER['HTTP_USER_AGENT'];
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]418 }
419
420 // --------------------------------------------------------------------
421
422 /**
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]423 * Sanitize Globals
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]424 *
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]425 * This function does the following:
426 *
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]427 * - Unsets $_GET data (if query strings are not enabled)
428 * - Unsets all globals if register_globals is enabled
429 * - Standardizes newline characters to \n
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]430 *
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]431 * @return void
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]432 */
Andrey Andreev90cfe142012-01-08 04:46:42 +0200[diff] [blame^]433 protected function _sanitize_globals()
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]434 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]435 // It would be "wrong" to unset any of these GLOBALS.
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]436 $protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST',
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]437 '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA',
438 'system_folder', 'application_folder', 'BM', 'EXT',
439 'CFG', 'URI', 'RTR', 'OUT', 'IN'
440 );
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]441
Barry Mienydd671972010-10-04 16:33:58 +0200[diff] [blame]442 // Unset globals for securiy.
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]443 // This is effectively the same as register_globals = off
444 foreach (array($_GET, $_POST, $_COOKIE) as $global)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]445 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]446 if ( ! is_array($global))
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]447 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]448 if ( ! in_array($global, $protected))
449 {
450 global $$global;
451 $$global = NULL;
452 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]453 }
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]454 else
455 {
456 foreach ($global as $key => $val)
457 {
458 if ( ! in_array($key, $protected))
459 {
460 global $$key;
461 $$key = NULL;
462 }
463 }
464 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]465 }
466
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]467 // Is $_GET data allowed? If not we'll set the $_GET to an empty array
468 if ($this->_allow_get_array == FALSE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]469 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]470 $_GET = array();
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]471 }
472 else
473 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]474 if (is_array($_GET) AND count($_GET) > 0)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]475 {
Pascal Kriete5d5895f2011-02-14 13:27:07 -0500[diff] [blame]476 foreach ($_GET as $key => $val)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]477 {
478 $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
479 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]480 }
481 }
482
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]483 // Clean $_POST Data
484 if (is_array($_POST) AND count($_POST) > 0)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]485 {
Pascal Kriete5d5895f2011-02-14 13:27:07 -0500[diff] [blame]486 foreach ($_POST as $key => $val)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]487 {
488 $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
489 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]490 }
491
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]492 // Clean $_COOKIE Data
493 if (is_array($_COOKIE) AND count($_COOKIE) > 0)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]494 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]495 // Also get rid of specially treated cookies that might be set by a server
496 // or silly application, that are of no use to a CI application anyway
497 // but that when present will trip our 'Disallowed Key Characters' alarm
498 // http://www.ietf.org/rfc/rfc2109.txt
499 // note that the key names below are single quoted strings, and are not PHP variables
500 unset($_COOKIE['$Version']);
501 unset($_COOKIE['$Path']);
502 unset($_COOKIE['$Domain']);
503
Pascal Kriete5d5895f2011-02-14 13:27:07 -0500[diff] [blame]504 foreach ($_COOKIE as $key => $val)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]505 {
506 $_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
507 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]508 }
509
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]510 // Sanitize PHP_SELF
511 $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
512
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]513 // CSRF Protection check
514 if ($this->_enable_csrf == TRUE)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]515 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]516 $this->security->csrf_verify();
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]517 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]518
Andrey Andreev90cfe142012-01-08 04:46:42 +0200[diff] [blame^]519 log_message('debug', 'Global POST and COOKIE data sanitized');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]520 }
521
522 // --------------------------------------------------------------------
523
524 /**
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]525 * Clean Input Data
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]526 *
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]527 * This is a helper function. It escapes data and
528 * standardizes newline characters to \n
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]529 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]530 * @param string
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]531 * @return string
532 */
Andrey Andreev90cfe142012-01-08 04:46:42 +0200[diff] [blame^]533 protected function _clean_input_data($str)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]534 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]535 if (is_array($str))
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]536 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]537 $new_array = array();
538 foreach ($str as $key => $val)
539 {
540 $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
541 }
542 return $new_array;
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]543 }
544
Andrey Andreevaf728622011-10-20 10:11:59 +0300[diff] [blame]545 /* We strip slashes if magic quotes is on to keep things consistent
546
547 NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and
548 it will probably not exist in future versions at all.
549 */
550 if ( ! is_php('5.4') && get_magic_quotes_gpc())
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]551 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]552 $str = stripslashes($str);
553 }
554
555 // Clean UTF-8 if supported
556 if (UTF8_ENABLED === TRUE)
557 {
558 $str = $this->uni->clean_string($str);
559 }
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]560
Pascal Kriete14a0ac62011-04-05 14:55:56 -0400[diff] [blame]561 // Remove control characters
562 $str = remove_invisible_characters($str);
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]563
564 // Should we filter the input data?
565 if ($this->_enable_xss === TRUE)
566 {
567 $str = $this->security->xss_clean($str);
568 }
569
570 // Standardize newlines if needed
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]571 if ($this->_standardize_newlines == TRUE AND strpos($str, "\r") !== FALSE)
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]572 {
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]573 return str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str);
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]574 }
575
576 return $str;
577 }
578
579 // --------------------------------------------------------------------
580
581 /**
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]582 * Clean Keys
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]583 *
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]584 * This is a helper function. To prevent malicious users
585 * from trying to exploit keys we make sure that keys are
586 * only named with alpha-numeric text and a few other items.
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]587 *
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]588 * @param string
589 * @return string
590 */
Andrey Andreev90cfe142012-01-08 04:46:42 +0200[diff] [blame^]591 protected function _clean_input_keys($str)
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]592 {
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]593 if ( ! preg_match('/^[a-z0-9:_\/-]+$/i', $str))
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]594 {
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]595 exit('Disallowed Key Characters.');
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]596 }
597
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]598 // Clean UTF-8 if supported
599 if (UTF8_ENABLED === TRUE)
600 {
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]601 return $this->uni->clean_string($str);
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]602 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]603
Derek Jones69fc4fc2010-03-02 13:36:31 -0600[diff] [blame]604 return $str;
605 }
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]606
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]607 // --------------------------------------------------------------------
608
609 /**
610 * Request Headers
611 *
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]612 * In Apache, you can simply call apache_request_headers(), however for
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]613 * people running other webservers the function is undefined.
614 *
David Behlercda768a2011-08-14 23:52:48 +0200[diff] [blame]615 * @param bool XSS cleaning
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]616 * @return array
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]617 */
618 public function request_headers($xss_clean = FALSE)
619 {
620 // Look at Apache go!
621 if (function_exists('apache_request_headers'))
622 {
623 $headers = apache_request_headers();
624 }
625 else
626 {
627 $headers['Content-Type'] = (isset($_SERVER['CONTENT_TYPE'])) ? $_SERVER['CONTENT_TYPE'] : @getenv('CONTENT_TYPE');
628
629 foreach ($_SERVER as $key => $val)
630 {
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]631 if (strpos($key, 'HTTP_') === 0)
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]632 {
633 $headers[substr($key, 5)] = $this->_fetch_from_array($_SERVER, $key, $xss_clean);
634 }
635 }
636 }
637
638 // take SOME_HEADER and turn it into Some-Header
639 foreach ($headers as $key => $val)
640 {
641 $key = str_replace('_', ' ', strtolower($key));
642 $key = str_replace(' ', '-', ucwords($key));
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]643
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]644 $this->headers[$key] = $val;
645 }
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]646
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]647 return $this->headers;
648 }
649
650 // --------------------------------------------------------------------
651
652 /**
653 * Get Request Header
654 *
655 * Returns the value of a single member of the headers class member
656 *
657 * @param string array key for $this->headers
658 * @param boolean XSS Clean or not
659 * @return mixed FALSE on failure, string on success
660 */
661 public function get_request_header($index, $xss_clean = FALSE)
662 {
663 if (empty($this->headers))
664 {
665 $this->request_headers();
666 }
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]667
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]668 if ( ! isset($this->headers[$index]))
669 {
670 return FALSE;
671 }
672
673 if ($xss_clean === TRUE)
674 {
Pascal Kriete14a0ac62011-04-05 14:55:56 -0400[diff] [blame]675 return $this->security->xss_clean($this->headers[$index]);
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]676 }
677
David Behler9b5df592011-08-14 21:04:17 +0200[diff] [blame]678 return $this->headers[$index];
Greg Akerec2f5712010-11-15 16:22:12 -0600[diff] [blame]679 }
680
Greg Aker081ac9d2010-11-22 14:42:53 -0600[diff] [blame]681 // --------------------------------------------------------------------
Phil Sturgeonc3828712011-01-19 12:31:47 +0000[diff] [blame]682
Greg Aker081ac9d2010-11-22 14:42:53 -0600[diff] [blame]683 /**
684 * Is ajax Request?
685 *
686 * Test to see if a request contains the HTTP_X_REQUESTED_WITH header
687 *
Phil Sturgeonc3828712011-01-19 12:31:47 +0000[diff] [blame]688 * @return boolean
Greg Aker081ac9d2010-11-22 14:42:53 -0600[diff] [blame]689 */
690 public function is_ajax_request()
691 {
Greg Aker2fae66e2010-12-09 15:49:34 -0600[diff] [blame]692 return ($this->server('HTTP_X_REQUESTED_WITH') === 'XMLHttpRequest');
Greg Aker081ac9d2010-11-22 14:42:53 -0600[diff] [blame]693 }
694
Phil Sturgeonc3828712011-01-19 12:31:47 +0000[diff] [blame]695 // --------------------------------------------------------------------
696
697 /**
698 * Is cli Request?
699 *
700 * Test to see if a request was made from the command line
701 *
702 * @return boolean
703 */
704 public function is_cli_request()
705 {
Andrey Andreev64e98aa2012-01-07 20:29:10 +0200[diff] [blame]706 return (php_sapi_name() === 'cli') or defined('STDIN');
Phil Sturgeonc3828712011-01-19 12:31:47 +0000[diff] [blame]707 }
708
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]709}
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]710
711/* End of file Input.php */
Phil Sturgeon33ed0f32011-02-16 19:03:49 +0000[diff] [blame]712/* Location: ./system/core/Input.php */