The Input Class serves two purposes:
- It pre-processes global input data for security.
- It provides some helper functions for fetching input data and pre-processing it.
Note: This class is initialized automatically by the system so there is no need to do it manually.
The security filtering function is called automatically when a new controller is invoked. It does the following:
- Destroys the global GET array. Since CodeIgniter does not utilize GET strings, there is no reason to allow it.
- Destroys all global variables in the event register_globals is turned on.
- Filters the POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters.
- Provides XSS (Cross-site Scripting Hacks) filtering. This can be enabled globally, or upon request.
- Standardizes newline characters to \n
CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since you may not need it in all cases.
Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.
To filter data through the XSS filter use this function:
Here is an usage example:
$data = $this->input->xss_clean($data);
If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your
application/config/config.php file and setting this:
$config['global_xss_filtering'] = TRUE;
Note: If you use the form validation class, it gives you the option of XSS filtering as well.
Using POST, COOKIE, or SERVER Data
CodeIgniter comes with three helper functions that let you fetch POST, COOKIE or SERVER items. The main advantage of using the provided
functions rather then fetching an item directly ($_POST['something']) is that the functions will check to see if the item is set and
return false (boolean) if not. This lets you conveniently use data without having to test whether an item exists first.
In other words, normally you might do something like this:
if ( ! isset($_POST['something']))
$something = FALSE;
$something = $_POST['something'];
With CodeIgniter's built in functions you can simply do this:
$something = $this->input->post('something');
The three functions are:
The first parameter will contain the name of the POST item you are looking for:
The function returns FALSE (boolean) if the item you are attempting to retrieve does not exist.
The second optional parameter lets you run the data through the XSS filter. It's enabled by setting the second parameter to boolean TRUE;
This function is identical to the post function, only it fetches cookie data:
This function is identical to the above functions, only it fetches server data:
Returns the IP address for the current user. If the IP address is not valid, the function will return an IP of: 0.0.0.0
Takes an IP address as input and returns TRUE or FALSE (boolean) if it is valid or not. Note: The $this->input->ip_address() function above validates the IP automatically.
if ( ! valid_ip($ip))
echo 'Not Valid';
Returns the user agent (web browser) being used by the current user. Returns FALSE if it's not available.