[php]
/**
* CodeIgniter
*
* An open source application development framework for PHP 5.1.6 or newer
*
* @package CodeIgniter
* @author ExpressionEngine Dev Team
* @copyright Copyright (c) 2008 - 2011, EllisLab, Inc.
* @license http://codeigniter.com/user_guide/license.html
* @link http://codeigniter.com
* @since Version 1.0
* @filesource
*/
// ------------------------------------------------------------------------
/**
* Input Class
*
* Pre-processes global input data for security
*
* @package CodeIgniter
* @subpackage Libraries
* @category Input
* @author ExpressionEngine Dev Team
* @link http://codeigniter.com/user_guide/libraries/input.html
*/
class CI_Input {
/**
* IP address of the current user
* 当前用户的ip地址
* @var string
*/
var $ip_address = FALSE;
/**
* user agent (web browser) being used by the current user
* 当前用户(web浏览器)代理
* @var string
*/
var $user_agent = FALSE;
/**
* If FALSE, then $_GET will be set to an empty array
* 如果是FALSE , $_GET将被设置为空数组
* @var bool
*/
var $_allow_get_array = TRUE;
/**
* If TRUE, then newlines are standardized
* 如果为TRUR,新行将被标准化
*
* @var bool
*/
var $_standardize_newlines = TRUE;
/**
* Determines whether the XSS filter is always active when GET, POST or COOKIE data is encountered
* Set automatically based on config setting
* 决定是否总是在GET ,POST , COOKIE数据中进行XSS过滤
* 在配置选项里面配置是否自动开启
*
* @var bool
*/
var $_enable_xss = FALSE;
/**
* Enables a CSRF cookie token to be set.
* Set automatically based on config setting
* 允许CSRF cookie令牌
*
* @var bool
*/
var $_enable_csrf = FALSE;
/**
* List of all HTTP request headers
* HTTP请求头部的列表
* @var array
*/
protected $headers = array();
/**
* Constructor
* 设置是否全局允许XSS处理和是否允许使用$_GET数组
* Sets whether to globally enable the XSS processing
* and whether to allow the $_GET array
*
* @return void
*/
public function __construct()
{
log_message('debug', "Input Class Initialized");
// 从配置文件中获取是否进行全局允许使用$_GET XSS过滤和csrf保护
$this->_allow_get_array = (config_item('allow_get_array') === TRUE);
$this->_enable_xss = (config_item('global_xss_filtering') === TRUE);
$this->_enable_csrf = (config_item('csrf_protection') === TRUE);
// 清除globals变量,在开启了globals_register的情况下,相当于关闭了此配置。
// 开启一道 安全防护
global $SEC;
$this->security =& $SEC;
// Do we need the UTF-8 class?
if (UTF8_ENABLED === TRUE)
{
global $UNI;
$this->uni =& $UNI;
}
// Sanitize global arrays
$this->_sanitize_globals();
}
// --------------------------------------------------------------------
/**
* Fetch from array
* 从$array获取值,如果设置了xss_clean 那么进行过滤
* This is a helper function to retrieve 检索 values from global arrays
* 这是一个帮助函数用来从全局数组中检索
*
* @access private
* @param array
* @param string
* @param bool
* @return string
*/
function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE)
{
if ( ! isset($array[$index]))
{
return FALSE;
}
if ($xss_clean === TRUE)
{
return $this->security->xss_clean($array[$index]);
}
return $array[$index];
}
// --------------------------------------------------------------------
/**
* Fetch an item from the GET array
* 获取过滤后的GET数组
* @access public
* @param string
* @param bool
* @return string
*/
function get($index = NULL, $xss_clean = FALSE)
{
// Check if a field has been provided
// 检查是否一个字段已经被提供
if ($index === NULL AND ! emptyempty($_GET))
{
$get = array();
// loop through the full _GET array
// 遍历_GET数组
foreach (array_keys($_GET) as $key)
{
$get[$key] = $this->_fetch_from_array($_GET, $key, $xss_clean);
}
return $get;
}
return $this->_fetch_from_array($_GET, $index, $xss_clean);
}
// --------------------------------------------------------------------
/**
* Fetch an item from the POST array
* 获取过滤后的$_POST值
* @access public
* @param string
* @param bool
* @return string
*/
function post($index = NULL, $xss_clean = FALSE)
{
// Check if a field has been provided
if ($index === NULL AND ! emptyempty($_POST))
{
$post = array();
// Loop through the full _POST array and return it
foreach (array_keys($_POST) as $key)
{
$post[$key] = $this->_fetch_from_array($_POST, $key, $xss_clean);
}
return $post;
}
return $this->_fetch_from_array($_POST, $index, $xss_clean);
}
// --------------------------------------------------------------------
/**
* Fetch an item from either the GET array or the POST
* 从get和post中获取值, post优先
* @access public
* @param string The index key
* @param bool XSS cleaning
* @return string
*/
function get_post($index = '', $xss_clean = FALSE)
{
if ( ! isset($_POST[$index]) )
{
return $this->get($index, $xss_clean);
}
else
{
return $this->post($index, $xss_clean);
}
}
// --------------------------------------------------------------------
/**
* Fetch an item from the COOKIE array
* 返回过滤后的COOKIE值
* @access public
* @param string
* @param bool
* @return string
*/
function cookie($index = '', $xss_clean = FALSE)
{
return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
}
// ------------------------------------------------------------------------
/**
* Set cookie
*
* Accepts six parameter, or you can submit an associative
* array in the first parameter containing all the values.
* 接收6个参数或者接收一个关联数组里面包含所有的值
* @access public
* @param mixed
* @param string the value of the cookie
* @param string the number of seconds until expiration
* @param string the cookie domain. Usually: .yourdomain.com
* @param string the cookie path
* @param string the cookie prefix
* @param bool true makes the cookie secure
* @return void
*/
function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = FALSE)
{
// 如果第一个值是数组 将数组中的值分别赋值给留个参数
if (is_array($name))
{
// always leave 'name' in last place, as the loop will break otherwise, due to $$item
foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'name') as $item)
{
if (isset($name[$item]))
{
$$item = $name[$item];
}
}
}
// 如果某个参数为默认值但是config.php中的配置不是默认值
// 则使用config.php中的配置值
if ($prefix == '' AND config_item('cookie_prefix') != '')
{
$prefix = config_item('cookie_prefix');
}
if ($domain == '' AND config_item('cookie_domain') != '')
{
$domain = config_item('cookie_domain');
}
if ($path == '/' AND config_item('cookie_path') != '/')
{
$path = config_item('cookie_path');
}
if ($secure == FALSE AND config_item('cookie_secure') != FALSE)
{
$secure = config_item('cookie_secure');
}
if ( ! is_numeric($expire))
{
$expire = time() - 86500;
}
else
{
$expire = ($expire > 0) ? time() + $expire : 0;
}
setcookie($prefix.$name, $value, $expire, $path, $domain, $secure);
}
// --------------------------------------------------------------------
/**
* Fetch an item from the SERVER array
* 返回过滤后的$_SERVER值
* @access public
* @param string
* @param bool
* @return string
*/
function server($index = '', $xss_clean = FALSE)
{
return $this->_fetch_from_array($_SERVER, $index, $xss_clean);
}
// --------------------------------------------------------------------
/**
* Fetch the IP Address
* 返回当前用户的IP。如果IP地址无效,返回0.0.0.0的IP:
* @return string
*/
public function ip_address()
{
// 如果已经有了ip_address 则返回
if ($this->ip_address !== FALSE)
{
return $this->ip_address;
}
$proxy_ips = config_item('proxy_ips');
if ( ! emptyempty($proxy_ips))
{
$proxy_ips = explode(',', str_replace(' ', '', $proxy_ips));
foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header)
{
if (($spoof = $this->server($header)) !== FALSE)
{
// Some proxies typically list the whole chain of IP
// addresses through which the client has reached us.
// e.g. client_ip, proxy_ip1, proxy_ip2, etc.
if (strpos($spoof, ',') !== FALSE)
{
$spoof = explode(',', $spoof, 2);
$spoof = $spoof[0];
}
if ( ! $this->valid_ip($spoof))
{
$spoof = FALSE;
}
else
{
break;
}
}
}
$this->ip_address = ($spoof !== FALSE && in_array($_SERVER['REMOTE_ADDR'], $proxy_ips, TRUE))
? $spoof : $_SERVER['REMOTE_ADDR'];
}
else
{
$this->ip_address = $_SERVER['REMOTE_ADDR'];
}
if ( ! $this->valid_ip($this->ip_address))
{
$this->ip_address = '0.0.0.0';
}
return $this->ip_address;
}
// --------------------------------------------------------------------
/**
* Validate IP Address
* 测试输入的IP地址是不是有效,返回布尔值TRUE或者FALSE。
* 注意:$this->input->ip_address()自动测试输入的IP地址本身格式是不是有效。
* @access public
* @param string
* @param string ipv4 or ipv6
* @return bool
*/
public function valid_ip($ip, $which = '')
{
$which = strtolower($which);
// First check if filter_var is available
if (is_callable('filter_var'))
{
switch ($which) {
case 'ipv4':
$flag = FILTER_FLAG_IPV4;
break;
case 'ipv6':
$flag = FILTER_FLAG_IPV6;
break;
default:
$flag = '';
break;
}
return (bool) filter_var($ip, FILTER_VALIDATE_IP, $flag);
}
if ($which !== 'ipv6' && $which !== 'ipv4')
{
if (strpos($ip, ':') !== FALSE)
{
$which = 'ipv6';
}
elseif (strpos($ip, '.') !== FALSE)
{
$which = 'ipv4';
}
else
{
return FALSE;
}
}
$func = '_valid_'.$which;
return $this->$func($ip);
}
// --------------------------------------------------------------------
/**
* Validate IPv4 Address
* 验证ipv4地址
* Updated version suggested by Geert De Deckere
*
* @access protected
* @param string
* @return bool
*/
protected function _valid_ipv4($ip)
{
$ip_segments = explode('.', $ip);
// Always 4 segments needed
if (count($ip_segments) !== 4)
{
return FALSE;
}
// IP can not start with 0
if ($ip_segments[0][0] == '0')
{
return FALSE;
}
// Check each segment
foreach ($ip_segments as $segment)
{
// IP segments must be digits and can not be
// longer than 3 digits or greater then 255
if ($segment == '' OR preg_match("/[^0-9]/", $segment) OR $segment > 255 OR strlen($segment) > 3)
{
return FALSE;
}
}
return TRUE;
}
// --------------------------------------------------------------------
/**
* Validate IPv6 Address
* 验证ipv6地址
* @access protected
* @param string
* @return bool
*/
protected function _valid_ipv6($str)
{
// 8 groups, separated by :
// 0-ffff per group
// one set of consecutive 0 groups can be collapsed to ::
$groups = 8;
$collapsed = FALSE;
$chunks = array_filter(
preg_split('/(:{1,2})/', $str, NULL, PREG_SPLIT_DELIM_CAPTURE)
);
// Rule out easy nonsense
if (current($chunks) == ':' OR end($chunks) == ':')
{
return FALSE;
}
// PHP supports IPv4-mapped IPv6 addresses, so we'll expect those as well
if (strpos(end($chunks), '.') !== FALSE)
{
$ipv4 = array_pop($chunks);
if ( ! $this->_valid_ipv4($ipv4))
{
return FALSE;
}
$groups--;
}
while ($seg = array_pop($chunks))
{
if ($seg[0] == ':')
{
if (--$groups == 0)
{
return FALSE; // too many groups
}
if (strlen($seg) > 2)
{
return FALSE; // long separator
}
if ($seg == '::')
{
if ($collapsed)
{
return FALSE; // multiple collapsed
}
$collapsed = TRUE;
}
}
elseif (preg_match("/[^0-9a-f]/i", $seg) OR strlen($seg) > 4)
{
return FALSE; // invalid segment
}
}
return $collapsed OR $groups == 1;
}
// --------------------------------------------------------------------
/**
* User Agent
* 返回当前用户正在使用的浏览器的user agent信息。 如果不能得到数据,返回FALSE。
* 一般user_agent为空的时候被认定为手机访问,或者curl的抓取,或则会蜘蛛抓取
* @access public
* @return string
*/
function user_agent()
{
if ($this->user_agent !== FALSE)
{
return $this->user_agent;
}
$this->user_agent = ( ! isset($_SERVER['HTTP_USER_AGENT'])) ? FALSE : $_SERVER['HTTP_USER_AGENT'];
return $this->user_agent;
}
// --------------------------------------------------------------------
/**
* Sanitize Globals
* 清理全局数组
* This function does the following:
* 这个函数做了下面的操作:
* Unsets $_GET data (if query strings are not enabled)
* 销毁$_GET (如果query strings 没有开启)
* Unsets all globals if register_globals is enabled
* 销毁所有全局数组如果register_globals开启
*
* Standardizes newline characters to \n
* 标准化换行符\n
* @access private
* @return void
*/
function _sanitize_globals()
{
// It would be "wrong" to unset any of these GLOBALS.
// 销毁下面的全局数组将是错误的。
$protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST',
'_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA',
'system_folder', 'application_folder', 'BM', 'EXT',
'CFG', 'URI', 'RTR', 'OUT', 'IN');
// Unset globals for securiy.为了安全销毁除了上面之外的全局数组
// This is effectively the same as register_globals = off
// 这样的效果和register_globals是相同的
// 经过下面处理后,所有的非保护的全局变量将被删除掉
foreach (array($_GET, $_POST, $_COOKIE) as $global)
{
if ( ! is_array($global))
{
if ( ! in_array($global, $protected))
{
global $$global;
$$global = NULL;
}
}
else
{
foreach ($global as $key => $val)
{
if ( ! in_array($key, $protected))
{
global $$key;
$$key = NULL;
}
}
}
}
// Is $_GET data allowed? If not we'll set the $_GET to an empty array
// 是否允许$_GET数据? 如果不允许的话,设置$_GET为空数组
if ($this->_allow_get_array == FALSE)
{
$_GET = array();
}
else
{
if (is_array($_GET) AND count($_GET) > 0)
{
foreach ($_GET as $key => $val)
{
$_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
}
}
}
// Clean $_POST Data
// 过滤$_POST 数组
if (is_array($_POST) AND count($_POST) > 0)
{
foreach ($_POST as $key => $val)
{
$_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
}
}
// Clean $_COOKIE Data
// 过滤$_COOKIE数组
if (is_array($_COOKIE) AND count($_COOKIE) > 0)
{
// Also get rid of specially treated cookies that might be set by a server
// or silly application, that are of no use to a CI application anyway
// but that when present will trip our 'Disallowed Key Characters' alarm
// http://www.ietf.org/rfc/rfc2109.txt
// note that the key names below are single quoted strings, and are not PHP variables
unset($_COOKIE['$Version']);
unset($_COOKIE['$Path']);
unset($_COOKIE['$Domain']);
foreach ($_COOKIE as $key => $val)
{
$_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
}
}
// Sanitize PHP_SELF
$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
// CSRF Protection check on HTTP requests
// CSRF保护检测http请求
if ($this->_enable_csrf == TRUE && ! $this->is_cli_request())
{
$this->security->csrf_verify();
}
log_message('debug', "Global POST and COOKIE data sanitized");
}
// --------------------------------------------------------------------
/**
* Clean Input Data
* 过滤input数据
* This is a helper function. It escapes data and
* standardizes newline characters to \n
*
* @access private
* @param string
* @return string
*/
function _clean_input_data($str)
{
if (is_array($str))
{
$new_array = array();
foreach ($str as $key => $val)
{
$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
}
return $new_array;
}
/* We strip slashes if magic quotes is on to keep things consistent
如果小于PHP5.4版本,并且get_magic_quotes_gpc开启了,则去掉斜线。
NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and
it will probably not exist in future versions at all。
注意:在PHP5.4及之后版本,get_magic_quotes_gpc()将总是返回0,
在后续版本中可能会移除该特性
*/
if ( ! is_php('5.4') && get_magic_quotes_gpc())
{
$str = stripslashes($str);
}
// Clean UTF-8 if supported 如果支持清理utf8
if (UTF8_ENABLED === TRUE)
{
$str = $this->uni->clean_string($str);
}
// Remove control characters
$str = remove_invisible_characters($str);
// Should we filter the input data?
if ($this->_enable_xss === TRUE)
{
$str = $this->security->xss_clean($str);
}
// Standardize newlines if needed
if ($this->_standardize_newlines == TRUE)
{
if (strpos($str, "\r") !== FALSE)
{
$str = str_replace(array("\r\n", "\r", "\r\n\n"), PHP_EOL, $str);
}
}
return $str;
}
// --------------------------------------------------------------------
/**
* Clean Keys
* 过滤键值
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
*
* @access private
* @param string
* @return string
*/
function _clean_input_keys($str)
{
if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
{
exit('Disallowed Key Characters.');
}
// Clean UTF-8 if supported
if (UTF8_ENABLED === TRUE)
{
$str = $this->uni->clean_string($str);
}
return $str;
}
// --------------------------------------------------------------------
/**
* Request Headers
* 返回请求头(header)数组。
* In Apache, you can simply call apache_request_headers(), however for
* people running other webservers the function is undefined.
*
* @param bool XSS cleaning
*
* @return array
*/
public function request_headers($xss_clean = FALSE)
{
// Look at Apache go!
if (function_exists('apache_request_headers'))
{
$headers = apache_request_headers();
}
else
{
$headers['Content-Type'] = (isset($_SERVER['CONTENT_TYPE'])) ? $_SERVER['CONTENT_TYPE'] : @getenv('CONTENT_TYPE');
foreach ($_SERVER as $key => $val)
{
if (strncmp($key, 'HTTP_', 5) === 0)
{
$headers[substr($key, 5)] = $this->_fetch_from_array($_SERVER, $key, $xss_clean);
}
}
}
// take SOME_HEADER and turn it into Some-Header
foreach ($headers as $key => $val)
{
$key = str_replace('_', ' ', strtolower($key));
$key = str_replace(' ', '-', ucwords($key));
$this->headers[$key] = $val;
}
return $this->headers;
}
// --------------------------------------------------------------------
/**
* Get Request Header
* 返回请求头(request header)数组中某一个元素的值
* Returns the value of a single member of the headers class member
*
* @param string array key for $this->headers
* @param boolean XSS Clean or not
* @return mixed FALSE on failure, string on success
*/
public function get_request_header($index, $xss_clean = FALSE)
{
if (emptyempty($this->headers))
{
$this->request_headers();
}
if ( ! isset($this->headers[$index]))
{
return FALSE;
}
if ($xss_clean === TRUE)
{
return $this->security->xss_clean($this->headers[$index]);
}
return $this->headers[$index];
}
// --------------------------------------------------------------------
/**
* Is ajax Request?
* 判断是否为ajax请求
* Test to see if a request contains the HTTP_X_REQUESTED_WITH header
*
* @return boolean
*/
public function is_ajax_request()
{
return ($this->server('HTTP_X_REQUESTED_WITH') === 'XMLHttpRequest');
}
// --------------------------------------------------------------------
/**
* Is cli Request?
* 判断是否来自cli请求
* Test to see if a request was made from the command line
*
* @return bool
*/
public function is_cli_request()
{
return (php_sapi_name() === 'cli' OR defined('STDIN'));
}
}
/* End of file Input.php */
/* Location: ./system/core/Input.php */
熱AI工具
Undresser.AI Undress
人工智慧驅動的應用程序,用於創建逼真的裸體照片
AI Clothes Remover
用於從照片中去除衣服的線上人工智慧工具。
Undress AI Tool
免費脫衣圖片
Clothoff.io
AI脫衣器
Video Face Swap
使用我們完全免費的人工智慧換臉工具,輕鬆在任何影片中換臉!
熱門文章
熱工具
EditPlus 中文破解版
體積小,語法高亮,不支援程式碼提示功能
ZendStudio 13.5.1 Mac
強大的PHP整合開發環境
DVWA
Damn Vulnerable Web App (DVWA) 是一個PHP/MySQL的Web應用程序,非常容易受到攻擊。它的主要目標是成為安全專業人員在合法環境中測試自己的技能和工具的輔助工具,幫助Web開發人員更好地理解保護網路應用程式的過程,並幫助教師/學生在課堂環境中教授/學習Web應用程式安全性。 DVWA的目標是透過簡單直接的介面練習一些最常見的Web漏洞,難度各不相同。請注意,該軟體中
MantisBT
Mantis是一個易於部署的基於Web的缺陷追蹤工具,用於幫助產品缺陷追蹤。它需要PHP、MySQL和一個Web伺服器。請查看我們的演示和託管服務。
mPDF
mPDF是一個PHP庫,可以從UTF-8編碼的HTML產生PDF檔案。原作者Ian Back編寫mPDF以從他的網站上「即時」輸出PDF文件,並處理不同的語言。與原始腳本如HTML2FPDF相比,它的速度較慢,並且在使用Unicode字體時產生的檔案較大,但支援CSS樣式等,並進行了大量增強。支援幾乎所有語言,包括RTL(阿拉伯語和希伯來語)和CJK(中日韓)。支援嵌套的區塊級元素(如P、DIV),
