Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / f3c4f277a7d0dfcddcfb4656f439b660a7398831 / . / user_guide / libraries / input.html
blob: e7c21de3beb7705c582967d18332bef0abe077dd [file] [log] [blame]
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
3<head>
4
5<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
6<title>Input Class : CodeIgniter User Guide</title>
7
8<style type='text/css' media='all'>@import url('../userguide.css');</style>
9<link rel='stylesheet' type='text/css' media='all' href='../userguide.css' />
10
11<script type="text/javascript" src="../nav/nav.js"></script>
12<script type="text/javascript" src="../nav/prototype.lite.js"></script>
13<script type="text/javascript" src="../nav/moo.fx.js"></script>
14<script type="text/javascript" src="../nav/user_guide_menu.js"></script>
15
16<meta http-equiv='expires' content='-1' />
17<meta http-equiv= 'pragma' content='no-cache' />
18<meta name='robots' content='all' />
19<meta name='author' content='ExpressionEngine Dev Team' />
20<meta name='description' content='CodeIgniter User Guide' />
21
22</head>
23<body>
24
25<!-- START NAVIGATION -->
26<div id="nav"><div id="nav_inner"><script type="text/javascript">create_menu('../');</script></div></div>
27<div id="nav2"><a name="top"></a><a href="javascript:void(0);" onclick="myHeight.toggle();"><img src="../images/nav_toggle_darker.jpg" width="154" height="43" border="0" title="Toggle Table of Contents" alt="Toggle Table of Contents" /></a></div>
28<div id="masthead">
29<table cellpadding="0" cellspacing="0" border="0" style="width:100%">
30<tr>
Derek Jonesbbedc762009-09-11 14:47:37 +0000[diff] [blame]31<td><h1>CodeIgniter User Guide Version 1.7.2</h1></td>
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]32<td id="breadcrumb_right"><a href="../toc.html">Table of Contents Page</a></td>
33</tr>
34</table>
35</div>
36<!-- END NAVIGATION -->
37
38
39<!-- START BREADCRUMB -->
40<table cellpadding="0" cellspacing="0" border="0" style="width:100%">
41<tr>
42<td id="breadcrumb">
43<a href="http://codeigniter.com/">CodeIgniter Home</a> &nbsp;&#8250;&nbsp;
44<a href="../index.html">User Guide Home</a> &nbsp;&#8250;&nbsp;
45Input and Security Class
46</td>
47<td id="searchbox"><form method="get" action="http://www.google.com/search"><input type="hidden" name="as_sitesearch" id="as_sitesearch" value="codeigniter.com/user_guide/" />Search User Guide&nbsp; <input type="text" class="input" style="width:200px;" name="q" id="q" size="31" maxlength="255" value="" />&nbsp;<input type="submit" class="submit" name="sa" value="Go" /></form></td>
48</tr>
49</table>
50<!-- END BREADCRUMB -->
51
52<br clear="all" />
53
54
55<!-- START CONTENT -->
56<div id="content">
57
58
59<h1>Input Class</h1>
60
61<p>The Input Class serves two purposes:</p>
62
63<ol>
64<li>It pre-processes global input data for security.</li>
65<li>It provides some helper functions for fetching input data and pre-processing it.</li>
66</ol>
67
68<p class="important"><strong>Note:</strong> This class is initialized automatically by the system so there is no need to do it manually.</p>
69
70
71<h2>Security Filtering</h2>
72
73<p>The security filtering function is called automatically when a new <a href="../general/controllers.html">controller</a> is invoked. It does the following:</p>
74
75<ul>
76<li>Destroys the global GET array. Since CodeIgniter does not utilize GET strings, there is no reason to allow it.</li>
77<li>Destroys all global variables in the event register_globals is turned on.</li>
78<li>Filters the POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters.</li>
79<li>Provides XSS (Cross-site Scripting Hacks) filtering. This can be enabled globally, or upon request.</li>
80<li>Standardizes newline characters to \n</li>
81</ul>
82
83
84<h2>XSS Filtering</h2>
85
86<p>CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter
87all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does <strong>not</strong>
88run globally since it requires a bit of processing overhead, and since you may not need it in all cases.</p>
89
90<p>The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies
91or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.</p>
92
93<p>
94Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.</p>
95
96
97<p>To filter data through the XSS filter use this function:</p>
98
99<h2>$this->input->xss_clean()</h2>
100
101<p>Here is an usage example:</p>
102
103<code>$data = $this->input->xss_clean($data);</code>
104
105<p>If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your
106<kbd>application/config/config.php</kbd> file and setting this:</p>
107
108<code>$config['global_xss_filtering'] = TRUE;</code>
109
110<p>Note: If you use the form validation class, it gives you the option of XSS filtering as well.</p>
111
112<p>An optional second parameter, <dfn>is_image</dfn>, allows this function to be used to test images for potential XSS attacks, useful for file upload security. When this second parameter is set to <dfn>TRUE</dfn>, instead of returning an altered string, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.</p>
113
114<code>if ($this->input->xss_clean($file, TRUE) === FALSE)<br />
115{<br />
116&nbsp;&nbsp;&nbsp;&nbsp;// file failed the XSS test<br />
117}</code>
118
119
120<h2>Using POST, COOKIE, or SERVER Data</h2>
121
122<p>CodeIgniter comes with three helper functions that let you fetch POST, COOKIE or SERVER items. The main advantage of using the provided
123functions rather than fetching an item directly ($_POST['something']) is that the functions will check to see if the item is set and
124return false (boolean) if not. This lets you conveniently use data without having to test whether an item exists first.
125In other words, normally you might do something like this:</p>
126
127<code>
128if ( ! isset($_POST['something']))<br />
129{<br />
130&nbsp;&nbsp;&nbsp;&nbsp;$something = FALSE;<br />
131}<br />
132else<br />
133{<br />
134&nbsp;&nbsp;&nbsp;&nbsp;$something = $_POST['something'];<br />
135}</code>
136
137<p>With CodeIgniter's built in functions you can simply do this:</p>
138
139<code>$something = $this->input->post('something');</code>
140
141<p>The three functions are:</p>
142
143<ul>
144<li>$this->input->post()</li>
145<li>$this->input->cookie()</li>
146<li>$this->input->server()</li>
147</ul>
148
149<h2>$this->input->post()</h2>
150
151<p>The first parameter will contain the name of the POST item you are looking for:</p>
152
153<code>$this->input->post('some_data');</code>
154
155<p>The function returns FALSE (boolean) if the item you are attempting to retrieve does not exist.</p>
156
157<p>The second optional parameter lets you run the data through the XSS filter. It's enabled by setting the second parameter to boolean TRUE;</p>
158
159<code>$this->input->post('some_data', TRUE);</code>
160
161<h2>$this->input->get()</h2>
162
163<p>This function is identical to the post function, only it fetches get data:</p>
164
165<code>$this->input->get('some_data', TRUE);</code>
166
167<h2>$this->input->get_post()</h2>
168
169<p>This function will search through both the post and get streams for data, looking first in post, and then in get:</p>
170
171<code>$this->input->get_post('some_data', TRUE);</code>
172
173<h2>$this->input->cookie()</h2>
174
175<p>This function is identical to the post function, only it fetches cookie data:</p>
176
177<code>$this->input->cookie('some_data', TRUE);</code>
178
179<h2>$this->input->server()</h2>
180
181<p>This function is identical to the above functions, only it fetches server data:</p>
182
183<code>$this->input->server('some_data');</code>
184
185
186
187
188<h2>$this->input->ip_address()</h2>
189<p>Returns the IP address for the current user. If the IP address is not valid, the function will return an IP of: 0.0.0.0</p>
190<code>echo $this->input->ip_address();</code>
191
192
193<h2>$this->input->valid_ip(<var>$ip</var>)</h2>
194
195<p>Takes an IP address as input and returns TRUE or FALSE (boolean) if it is valid or not. Note: The $this->input->ip_address() function above
196validates the IP automatically.</p>
197
198<code>if ( ! $this-&gt;input-&gt;valid_ip($ip))<br />
199{<br />
200&nbsp;&nbsp;&nbsp;&nbsp; echo 'Not Valid';<br />
201}<br />
202else<br />
203{<br />
204&nbsp;&nbsp;&nbsp;&nbsp; echo 'Valid';<br />
205}</code>
206
207
208<h2>$this->input->user_agent()</h2>
209<p>Returns the user agent (web browser) being used by the current user. Returns FALSE if it's not available.</p>
210<code>echo $this->input->user_agent();</code>
211
212
213
214
215</div>
216<!-- END CONTENT -->
217
218
219<div id="footer">
220<p>
221Previous Topic:&nbsp;&nbsp;<a href="image_lib.html">Image Manipulation Class</a>
222&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
223<a href="#top">Top of Page</a>&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
224<a href="../index.html">User Guide Home</a>&nbsp;&nbsp;&nbsp;&middot;&nbsp;&nbsp;
225Next Topic:&nbsp;&nbsp;<a href="loader.html">Loader Class</a>
226</p>
Derek Jonesfc395a12009-04-22 14:15:09 +0000[diff] [blame]227<p><a href="http://codeigniter.com">CodeIgniter</a> &nbsp;&middot;&nbsp; Copyright &#169; 2006-2009 &nbsp;&middot;&nbsp; <a href="http://ellislab.com/">Ellislab, Inc.</a></p>
Derek Allard2067d1a2008-11-13 22:59:24 +0000[diff] [blame]228</div>
229
230</body>
adminb0dd10f2006-08-25 17:25:49 +0000[diff] [blame]231</html>