CI框架源码阅读---------Input.php
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');/** * CodeIgniter * * An open source application development framework for PHP 5.1.6 or newer * * @package CodeIgniter * @author ExpressionEngine Dev Team * @copyright Copyright (c) 2008 - 2011, EllisLab, Inc. * @license http://codeigniter.com/user_guide/license.html * @link http://codeigniter.com * @since Version 1.0 * @filesource */// ------------------------------------/** * Input Class * * Pre-processes global input data for security * * @package CodeIgniter * @subpackage Libraries * @category Input * @author ExpressionEngine Dev Team * @link http://codeigniter.com/user_guide/libraries/input.html */class CI_Input { /** * IP address of the current user * 当前用户的ip地址 * @var string */ var $ip_address = FALSE; /** * user agent (web browser) being used by the current user * 当前用户(web浏览器)代理 * @var string */ var $user_agent = FALSE; /** * If FALSE, then $_GET will be set to an empty array * 如果是FALSE , $_GET将被设置为空数组 * @var bool */ var $_allow_get_array = TRUE; /** * If TRUE, then newlines are standardized * 如果为TRUR,新行将被标准化 * * @var bool */ var $_standardize_newlines = TRUE; /** * Determines whether the XSS filter is always active when GET, POST or COOKIE data is encountered * Set automatically based on config setting * 决定是否总是在GET ,POST , COOKIE数据中进行XSS过滤 * 在配置选项里面配置是否自动开启 * * @var bool */ var $_enable_xss = FALSE; /** * Enables a CSRF cookie token to be set. * Set automatically based on config setting * 允许CSRF cookie令牌 * * @var bool */ var $_enable_csrf = FALSE; /** * List of all HTTP request headers * HTTP请求头部的列表 * @var array */ protected $headers = array(); /** * Constructor * 设置是否全局允许XSS处理和是否允许使用$_GET数组 * Sets whether to globally enable the XSS processing * and whether to allow the $_GET array * * @return void */ public function __construct() { log_message('debug', "Input Class Initialized"); // 从配置文件中获取是否进行全局允许使用$_GET XSS过滤和csrf保护 $this->_allow_get_array = (config_item('allow_get_array') === TRUE); $this->_enable_xss = (config_item('global_xss_filtering') === TRUE); $this->_enable_csrf = (config_item('csrf_protection') === TRUE); // 清除globals变量,在开启了globals_register的情况下,相当于关闭了此配置。 // 开启一道 安全防护 global $SEC; $this->security =& $SEC; // Do we need the UTF-8 class? if (UTF8_ENABLED === TRUE) { global $UNI; $this->uni =& $UNI; } // Sanitize global arrays $this->_sanitize_globals(); } // -------------------------------- /** * Fetch from array * 从$array获取值,如果设置了xss_clean 那么进行过滤 * This is a helper function to retrieve 检索 values from global arrays * 这是一个帮助函数用来从全局数组中检索 * * @access private * @param array * @param string * @param bool * @return string */ function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE) { if ( ! isset($array[$index])) { return FALSE; } if ($xss_clean === TRUE) { return $this->security->xss_clean($array[$index]); } return $array[$index]; } // -------------------------------- /** * Fetch an item from the GET array * 获取过滤后的GET数组 * @access public * @param string * @param bool * @return string */ function get($index = NULL, $xss_clean = FALSE) { // Check if a field has been provided // 检查是否一个字段已经被提供 if ($index === NULL AND ! empty($_GET)) { $get = array(); // loop through the full _GET array // 遍历_GET数组 foreach (array_keys($_GET) as $key) { $get[$key] = $this->_fetch_from_array($_GET, $key, $xss_clean); } return $get; } return $this->_fetch_from_array($_GET, $index, $xss_clean); } // -------------------------------- /** * Fetch an item from the POST array * 获取过滤后的$_POST值 * @access public * @param string * @param bool * @return string */ function post($index = NULL, $xss_clean = FALSE) { // Check if a field has been provided if ($index === NULL AND ! empty($_POST)) { $post = array(); // Loop through the full _POST array and return it foreach (array_keys($_POST) as $key) { $post[$key] = $this->_fetch_from_array($_POST, $key, $xss_clean); } return $post; } return $this->_fetch_from_array($_POST, $index, $xss_clean); } // -------------------------------- /** * Fetch an item from either the GET array or the POST * 从get和post中获取值, post优先 * @access public * @param string The index key * @param bool XSS cleaning * @return string */ function get_post($index = '', $xss_clean = FALSE) { if ( ! isset($_POST[$index]) ) { return $this->get($index, $xss_clean); } else { return $this->post($index, $xss_clean); } } // -------------------------------- /** * Fetch an item from the COOKIE array * 返回过滤后的COOKIE值 * @access public * @param string * @param bool * @return string */ function cookie($index = '', $xss_clean = FALSE) { return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); } // ------------------------------------ /** * Set cookie * * Accepts six parameter, or you can submit an associative * array in the first parameter containing all the values. * 接收6个参数或者接收一个关联数组里面包含所有的值 * @access public * @param mixed * @param string the value of the cookie * @param string the number of seconds until expiration * @param string the cookie domain. Usually: .yourdomain.com * @param string the cookie path * @param string the cookie prefix * @param bool true makes the cookie secure * @return void */ function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE) { // 如果第一个值是数组 将数组中的值分别赋值给留个参数 if (is_array($name)) { // always leave 'name' in last place, as the loop will break otherwise, due to $$item foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'name') as $item) { if (isset($name[$item])) { $$item = $name[$item]; } } } // 如果某个参数为默认值但是config.php中的配置不是默认值 // 则使用config.php中的配置值 if ($prefix == '' AND config_item('cookie_prefix') != '') { $prefix = config_item('cookie_prefix'); } if ($domain == '' AND config_item('cookie_domain') != '') { $domain = config_item('cookie_domain'); } if ($path == '/' AND config_item('cookie_path') != '/') { $path = config_item('cookie_path'); } if ($secure == FALSE AND config_item('cookie_secure') != FALSE) { $secure = config_item('cookie_secure'); } if ( ! is_numeric($expire)) { $expire = time() - 86500; } else { $expire = ($expire > 0) ? time() + $expire : 0; } setcookie($prefix.$name, $value, $expire, $path, $domain, $secure); } // -------------------------------- /** * Fetch an item from the SERVER array * 返回过滤后的$_SERVER值 * @access public * @param string * @param bool * @return string */ function server($index = '', $xss_clean = FALSE) { return $this->_fetch_from_array($_SERVER, $index, $xss_clean); } // -------------------------------- /** * Fetch the IP Address * 返回当前用户的IP。如果IP地址无效,返回0.0.0.0的IP: * @return string */ public function ip_address() { // 如果已经有了ip_address 则返回 if ($this->ip_address !== FALSE) { return $this->ip_address; } $proxy_ips = config_item('proxy_ips'); if ( ! empty($proxy_ips)) { $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header) { if (($spoof = $this->server($header)) !== FALSE) { // Some proxies typically list the whole chain of IP // addresses through which the client has reached us. // e.g. client_ip, proxy_ip1, proxy_ip2, etc. if (strpos($spoof, ',') !== FALSE) { $spoof = explode(',', $spoof, 2); $spoof = $spoof[0]; } if ( ! $this->valid_ip($spoof)) { $spoof = FALSE; } else { break; } } } $this->ip_address = ($spoof !== FALSE && in_array($_SERVER['REMOTE_ADDR'], $proxy_ips, TRUE)) ? $spoof : $_SERVER['REMOTE_ADDR']; } else { $this->ip_address = $_SERVER['REMOTE_ADDR']; } if ( ! $this->valid_ip($this->ip_address)) { $this->ip_address = '0.0.0.0'; } return $this->ip_address; } // -------------------------------- /** * Validate IP Address * 测试输入的IP地址是不是有效,返回布尔值TRUE或者FALSE。 * 注意:$this->input->ip_address()自动测试输入的IP地址本身格式是不是有效。 * @access public * @param string * @param string ipv4 or ipv6 * @return bool */ public function valid_ip($ip, $which = '') { $which = strtolower($which); // First check if filter_var is available if (is_callable('filter_var')) { switch ($which) { case 'ipv4': $flag = FILTER_FLAG_IPV4; break; case 'ipv6': $flag = FILTER_FLAG_IPV6; break; default: $flag = ''; break; } return (bool) filter_var($ip, FILTER_VALIDATE_IP, $flag); } if ($which !== 'ipv6' && $which !== 'ipv4') { if (strpos($ip, ':') !== FALSE) { $which = 'ipv6'; } elseif (strpos($ip, '.') !== FALSE) { $which = 'ipv4'; } else { return FALSE; } } $func = '_valid_'.$which; return $this->$func($ip); } // -------------------------------- /** * Validate IPv4 Address * 验证ipv4地址 * Updated version suggested by Geert De Deckere * * @access protected * @param string * @return bool */ protected function _valid_ipv4($ip) { $ip_segments = explode('.', $ip); // Always 4 segments needed if (count($ip_segments) !== 4) { return FALSE; } // IP can not start with 0 if ($ip_segments[0][0] == '0') { return FALSE; } // Check each segment foreach ($ip_segments as $segment) { // IP segments must be digits and can not be // longer than 3 digits or greater then 255 if ($segment == '' OR preg_match("/[^0-9]/", $segment) OR $segment > 255 OR strlen($segment) > 3) { return FALSE; } } return TRUE; } // -------------------------------- /** * Validate IPv6 Address * 验证ipv6地址 * @access protected * @param string * @return bool */ protected function _valid_ipv6($str) { // 8 groups, separated by : // 0-ffff per group // one set of consecutive 0 groups can be collapsed to :: $groups = 8; $collapsed = FALSE; $chunks = array_filter( preg_split('/(:{1,2})/', $str, NULL, PREG_SPLIT_DELIM_CAPTURE) ); // Rule out easy nonsense if (current($chunks) == ':' OR end($chunks) == ':') { return FALSE; } // PHP supports IPv4-mapped IPv6 addresses, so we'll expect those as well if (strpos(end($chunks), '.') !== FALSE) { $ipv4 = array_pop($chunks); if ( ! $this->_valid_ipv4($ipv4)) { return FALSE; } $groups--; } while ($seg = array_pop($chunks)) { if ($seg[0] == ':') { if (--$groups == 0) { return FALSE; // too many groups } if (strlen($seg) > 2) { return FALSE; // long separator } if ($seg == '::') { if ($collapsed) { return FALSE; // multiple collapsed } $collapsed = TRUE; } } elseif (preg_match("/[^0-9a-f]/i", $seg) OR strlen($seg) > 4) { return FALSE; // invalid segment } } return $collapsed OR $groups == 1; } // -------------------------------- /** * User Agent * 返回当前用户正在使用的浏览器的user agent信息。 如果不能得到数据,返回FALSE。 * 一般user_agent为空的时候被认定为手机访问,或者curl的抓取,或则会蜘蛛抓取 * @access public * @return string */ function user_agent() { if ($this->user_agent !== FALSE) { return $this->user_agent; } $this->user_agent = ( ! isset($_SERVER['HTTP_USER_AGENT'])) ? FALSE : $_SERVER['HTTP_USER_AGENT']; return $this->user_agent; } // -------------------------------- /** * Sanitize Globals * 清理全局数组 * This function does the following: * 这个函数做了下面的操作: * Unsets $_GET data (if query strings are not enabled) * 销毁$_GET (如果query strings 没有开启) * Unsets all globals if register_globals is enabled * 销毁所有全局数组如果register_globals开启 * * Standardizes newline characters to \n * 标准化换行符\n * @access private * @return void */ function _sanitize_globals() { // It would be "wrong" to unset any of these GLOBALS. // 销毁下面的全局数组将是错误的。 $protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA', 'system_folder', 'application_folder', 'BM', 'EXT', 'CFG', 'URI', 'RTR', 'OUT', 'IN'); // Unset globals for securiy.为了安全销毁除了上面之外的全局数组 // This is effectively the same as register_globals = off // 这样的效果和register_globals是相同的 // 经过下面处理后,所有的非保护的全局变量将被删除掉 foreach (array($_GET, $_POST, $_COOKIE) as $global) { if ( ! is_array($global)) { if ( ! in_array($global, $protected)) { global $$global; $$global = NULL; } } else { foreach ($global as $key => $val) { if ( ! in_array($key, $protected)) { global $$key; $$key = NULL; } } } } // Is $_GET data allowed? If not we'll set the $_GET to an empty array // 是否允许$_GET数据? 如果不允许的话,设置$_GET为空数组 if ($this->_allow_get_array == FALSE) { $_GET = array(); } else { if (is_array($_GET) AND count($_GET) > 0) { foreach ($_GET as $key => $val) { $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } } } // Clean $_POST Data // 过滤$_POST 数组 if (is_array($_POST) AND count($_POST) > 0) { foreach ($_POST as $key => $val) { $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } } // Clean $_COOKIE Data // 过滤$_COOKIE数组 if (is_array($_COOKIE) AND count($_COOKIE) > 0) { // Also get rid of specially treated cookies that might be set by a server // or silly application, that are of no use to a CI application anyway // but that when present will trip our 'Disallowed Key Characters' alarm // http://www.ietf.org/rfc/rfc2109.txt // note that the key names below are single quoted strings, and are not PHP variables unset($_COOKIE['$Version']); unset($_COOKIE['$Path']); unset($_COOKIE['$Domain']); foreach ($_COOKIE as $key => $val) { $_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } } // Sanitize PHP_SELF $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); // CSRF Protection check on HTTP requests // CSRF保护检测http请求 if ($this->_enable_csrf == TRUE && ! $this->is_cli_request()) { $this->security->csrf_verify(); } log_message('debug', "Global POST and COOKIE data sanitized"); } // -------------------------------- /** * Clean Input Data * 过滤input数据 * This is a helper function. It escapes data and * standardizes newline characters to \n * * @access private * @param string * @return string */ function _clean_input_data($str) { if (is_array($str)) { $new_array = array(); foreach ($str as $key => $val) { $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } return $new_array; } /* We strip slashes if magic quotes is on to keep things consistent 如果小于PHP5.4版本,并且get_magic_quotes_gpc开启了,则去掉斜线。 NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and it will probably not exist in future versions at all。 注意:在PHP5.4及之后版本,get_magic_quotes_gpc()将总是返回0, 在后续版本中可能会移除该特性 */ if ( ! is_php('5.4') && get_magic_quotes_gpc()) { $str = stripslashes($str); } // Clean UTF-8 if supported 如果支持清理utf8 if (UTF8_ENABLED === TRUE) { $str = $this->uni->clean_string($str); } // Remove control characters $str = remove_invisible_characters($str); // Should we filter the input data? if ($this->_enable_xss === TRUE) { $str = $this->security->xss_clean($str); } // Standardize newlines if needed if ($this->_standardize_newlines == TRUE) { if (strpos($str, "\r") !== FALSE) { $str = str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str); } } return $str; } // -------------------------------- /** * Clean Keys * 过滤键值 * This is a helper function. To prevent malicious users * from trying to exploit keys we make sure that keys are * only named with alpha-numeric text and a few other items. * * @access private * @param string * @return string */ function _clean_input_keys($str) { if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str)) { exit('Disallowed Key Characters.'); } // Clean UTF-8 if supported if (UTF8_ENABLED === TRUE) { $str = $this->uni->clean_string($str); } return $str; } // -------------------------------- /** * Request Headers * 返回请求头(header)数组。 * In Apache, you can simply call apache_request_headers(), however for * people running other webservers the function is undefined. * * @param bool XSS cleaning * * @return array */ public function request_headers($xss_clean = FALSE) { // Look at Apache go! if (function_exists('apache_request_headers')) { $headers = apache_request_headers(); } else { $headers['Content-Type'] = (isset($_SERVER['CONTENT_TYPE'])) ? $_SERVER['CONTENT_TYPE'] : @getenv('CONTENT_TYPE'); foreach ($_SERVER as $key => $val) { if (strncmp($key, 'HTTP_', 5) === 0) { $headers[substr($key, 5)] = $this->_fetch_from_array($_SERVER, $key, $xss_clean); } } } // take SOME_HEADER and turn it into Some-Header foreach ($headers as $key => $val) { $key = str_replace('_', ' ', strtolower($key)); $key = str_replace(' ', '-', ucwords($key)); $this->headers[$key] = $val; } return $this->headers; } // -------------------------------- /** * Get Request Header * 返回请求头(request header)数组中某一个元素的值 * Returns the value of a single member of the headers class member * * @param string array key for $this->headers * @param boolean XSS Clean or not * @return mixed FALSE on failure, string on success */ public function get_request_header($index, $xss_clean = FALSE) { if (empty($this->headers)) { $this->request_headers(); } if ( ! isset($this->headers[$index])) { return FALSE; } if ($xss_clean === TRUE) { return $this->security->xss_clean($this->headers[$index]); } return $this->headers[$index]; } // -------------------------------- /** * Is ajax Request? * 判断是否为ajax请求 * Test to see if a request contains the HTTP_X_REQUESTED_WITH header * * @return boolean */ public function is_ajax_request() { return ($this->server('HTTP_X_REQUESTED_WITH') === 'XMLHttpRequest'); } // -------------------------------- /** * Is cli Request? * 判断是否来自cli请求 * Test to see if a request was made from the command line * * @return bool */ public function is_cli_request() { return (php_sapi_name() === 'cli' OR defined('STDIN')); }}/* End of file Input.php *//* Location: ./system/core/Input.php */

In PHP können Sie Session_Status () oder Session_id () verwenden, um zu überprüfen, ob die Sitzung gestartet wurde. 1) Verwenden Sie die Funktion Session_Status (). Wenn PHP_Session_Active zurückgegeben wird, wurde die Sitzung gestartet. 2) Verwenden Sie die Funktion Session_id (), wenn eine nicht leere Zeichenfolge zurückgegeben wird, die Sitzung gestartet wurde. Beide Methoden können den Sitzungszustand effektiv überprüfen, und die Auswahl der Verwendung von Methoden hängt von der PHP -Version und den persönlichen Einstellungen ab.

SESSIONS AREVITALINWEBAPPLIKATIONEN, Besonders vor den Commerceplatformen

Verwalten des gleichzeitigen Sitzungszugriffs in PHP kann mit den folgenden Methoden erfolgen: 1. Verwenden Sie die Datenbank, um Sitzungsdaten zu speichern, 2.. Diese Methoden tragen dazu bei, die Datenkonsistenz sicherzustellen und die Gleichzeitleistung zu verbessern.

PhpSessionShaveseverallimitationen: 1) StorageConstraintScanleadtoperformanceISSues; 2) SecurityVulnerabilitieslikeSessionFixationAtpaSexist; 3) Skalierbarkeits-IschallengingDuetoServer-spezifisch; 4) SessionExpirationManbeproblematic;

Lastausgleich beeinflusst das Sitzungsmanagement, kann jedoch durch Sitzungsreplikation, Sitzungsklebrigkeit und zentraler Sitzungsspeicher gelöst werden. 1. Sitzungsreplikationsdaten zwischen Servern. 2. Session Stickiness lenkt Benutzeranfragen auf denselben Server. 3. Zentraler Sitzungsspeicher verwendet unabhängige Server wie Redis, um Sitzungsdaten zu speichern, um die Datenfreigabe zu gewährleisten.

SessionLockingIsatechniqueUTToensureUsers'SSessionSessionSeSexclusivetooneuseratatim.itiscrialtforpreventingDatacorruptionandSecurityBreachesinmulti-UserApplications

Zu den Alternativen zu PHP-Sitzungen gehören Cookies, Token-basierte Authentifizierung, datenbankbasierte Sitzungen und Redis/Memcached. 1. Kookies verwalten Sitzungen, indem sie Daten über den Kunden speichern, was einfach, aber nur gering ist. 2. Altbasierte Authentifizierung verwendet Token, um Benutzer zu überprüfen, was sehr sicher ist, aber zusätzliche Logik erfordert. 3.Database-basiertssesses speichert Daten in der Datenbank, was eine gute Skalierbarkeit aufweist, die Leistung jedoch beeinflusst. V.

Sessionhijacking bezieht sich auf einen Angreifer, der sich als Benutzer ausgibt, indem die SessionID des Benutzers angezeigt wird. Zu den Präventionsmethoden gehören: 1) Verschlüsseln der Kommunikation mit HTTPS; 2) Überprüfung der Quelle der SessionID; 3) mit einem sicheren Algorithmus zur Sitzung der Sitzung; 4) regelmäßig aktualisieren die SitzungID.


Heiße KI -Werkzeuge

Undresser.AI Undress
KI-gestützte App zum Erstellen realistischer Aktfotos

AI Clothes Remover
Online-KI-Tool zum Entfernen von Kleidung aus Fotos.

Undress AI Tool
Ausziehbilder kostenlos

Clothoff.io
KI-Kleiderentferner

Video Face Swap
Tauschen Sie Gesichter in jedem Video mühelos mit unserem völlig kostenlosen KI-Gesichtstausch-Tool aus!

Heißer Artikel

Heiße Werkzeuge

SAP NetWeaver Server-Adapter für Eclipse
Integrieren Sie Eclipse mit dem SAP NetWeaver-Anwendungsserver.

Herunterladen der Mac-Version des Atom-Editors
Der beliebteste Open-Source-Editor

SecLists
SecLists ist der ultimative Begleiter für Sicherheitstester. Dabei handelt es sich um eine Sammlung verschiedener Arten von Listen, die häufig bei Sicherheitsbewertungen verwendet werden, an einem Ort. SecLists trägt dazu bei, Sicherheitstests effizienter und produktiver zu gestalten, indem es bequem alle Listen bereitstellt, die ein Sicherheitstester benötigen könnte. Zu den Listentypen gehören Benutzernamen, Passwörter, URLs, Fuzzing-Payloads, Muster für vertrauliche Daten, Web-Shells und mehr. Der Tester kann dieses Repository einfach auf einen neuen Testcomputer übertragen und hat dann Zugriff auf alle Arten von Listen, die er benötigt.

Senden Sie Studio 13.0.1
Leistungsstarke integrierte PHP-Entwicklungsumgebung

EditPlus chinesische Crack-Version
Geringe Größe, Syntaxhervorhebung, unterstützt keine Code-Eingabeaufforderungsfunktion
