ci框架源码阅读---------input.php
_allow_get_array = (config_item('allow_get_array') === true); $this->_enable_xss = (config_item('global_xss_filtering') === true); $this->_enable_csrf = (config_item('csrf_protection') === true); // 清除globals变量，在开启了globals_register的情况下，相当于关闭了此配置。 // 开启一道 安全防护 global $sec; $this->security =& $sec; // do we need the utf-8 class? if (utf8_enabled === true) { global $uni; $this->uni =& $uni; } // sanitize global arrays $this->_sanitize_globals(); } // -------------------------------- /** * fetch from array * 从$array获取值，如果设置了xss_clean 那么进行过滤 * this is a helper function to retrieve 检索 values from global arrays * 这是一个帮助函数用来从全局数组中检索 * * @access private * @param array * @param string * @param bool * @return string */ function _fetch_from_array(&$array, $index = '', $xss_clean = false) { if ( ! isset($array[$index])) { return false; } if ($xss_clean === true) { return $this->security->xss_clean($array[$index]); } return $array[$index]; } // -------------------------------- /** * fetch an item from the get array * 获取过滤后的get数组 * @access public * @param string * @param bool * @return string */ function get($index = null, $xss_clean = false) { // check if a field has been provided // 检查是否一个字段已经被提供 if ($index === null and ! empty($_get)) { $get = array(); // loop through the full _get array // 遍历_get数组 foreach (array_keys($_get) as $key) { $get[$key] = $this->_fetch_from_array($_get, $key, $xss_clean); } return $get; } return $this->_fetch_from_array($_get, $index, $xss_clean); } // -------------------------------- /** * fetch an item from the post array * 获取过滤后的$_post值 * @access public * @param string * @param bool * @return string */ function post($index = null, $xss_clean = false) { // check if a field has been provided if ($index === null and ! empty($_post)) { $post = array(); // loop through the full _post array and return it foreach (array_keys($_post) as $key) { $post[$key] = $this->_fetch_from_array($_post, $key, $xss_clean); } return $post; } return $this->_fetch_from_array($_post, $index, $xss_clean); } // -------------------------------- /** * fetch an item from either the get array or the post * 从get和post中获取值， post优先 * @access public * @param string the index key * @param bool xss cleaning * @return string */ function get_post($index = '', $xss_clean = false) { if ( ! isset($_post[$index]) ) { return $this->get($index, $xss_clean); } else { return $this->post($index, $xss_clean); } } // -------------------------------- /** * fetch an item from the cookie array * 返回过滤后的cookie值 * @access public * @param string * @param bool * @return string */ function cookie($index = '', $xss_clean = false) { return $this->_fetch_from_array($_cookie, $index, $xss_clean); } // ------------------------------------ /** * set cookie * * accepts six parameter, or you can submit an associative * array in the first parameter containing all the values. * 接收6个参数或者接收一个关联数组里面包含所有的值 * @access public * @param mixed * @param string the value of the cookie * @param string the number of seconds until expiration * @param string the cookie domain. usually: .yourdomain.com * @param string the cookie path * @param string the cookie prefix * @param bool true makes the cookie secure * @return void */ function set_cookie($name = '', $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = false) { // 如果第一个值是数组 将数组中的值分别赋值给留个参数 if (is_array($name)) { // always leave 'name' in last place, as the loop will break otherwise, due to $$item foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'name') as $item) { if (isset($name[$item])) { $$item = $name[$item]; } } } // 如果某个参数为默认值但是config.php中的配置不是默认值 // 则使用config.php中的配置值 if ($prefix == '' and config_item('cookie_prefix') != '') { $prefix = config_item('cookie_prefix'); } if ($domain == '' and config_item('cookie_domain') != '') { $domain = config_item('cookie_domain'); } if ($path == '/' and config_item('cookie_path') != '/') { $path = config_item('cookie_path'); } if ($secure == false and config_item('cookie_secure') != false) { $secure = config_item('cookie_secure'); } if ( ! is_numeric($expire)) { $expire = time() - 86500; } else { $expire = ($expire > 0) ? time() + $expire : 0; } setcookie($prefix.$name, $value, $expire, $path, $domain, $secure); } // -------------------------------- /** * fetch an item from the server array * 返回过滤后的$_server值 * @access public * @param string * @param bool * @return string */ function server($index = '', $xss_clean = false) { return $this->_fetch_from_array($_server, $index, $xss_clean); } // -------------------------------- /** * fetch the ip address * 返回当前用户的ip。如果ip地址无效，返回0.0.0.0的ip： * @return string */ public function ip_address() { // 如果已经有了ip_address 则返回 if ($this->ip_address !== false) { return $this->ip_address; } $proxy_ips = config_item('proxy_ips'); if ( ! empty($proxy_ips)) { $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips)); foreach (array('http_x_forwarded_for', 'http_client_ip', 'http_x_client_ip', 'http_x_cluster_client_ip') as $header) { if (($spoof = $this->server($header)) !== false) { // some proxies typically list the whole chain of ip // addresses through which the client has reached us. // e.g. client_ip, proxy_ip1, proxy_ip2, etc. if (strpos($spoof, ',') !== false) { $spoof = explode(',', $spoof, 2); $spoof = $spoof[0]; } if ( ! $this->valid_ip($spoof)) { $spoof = false; } else { break; } } } $this->ip_address = ($spoof !== false && in_array($_server['remote_addr'], $proxy_ips, true)) ? $spoof : $_server['remote_addr']; } else { $this->ip_address = $_server['remote_addr']; } if ( ! $this->valid_ip($this->ip_address)) { $this->ip_address = '0.0.0.0'; } return $this->ip_address; } // -------------------------------- /** * validate ip address * 测试输入的ip地址是不是有效，返回布尔值true或者false。 * 注意：$this->input->ip_address()自动测试输入的ip地址本身格式是不是有效。 * @access public * @param string * @param string ipv4 or ipv6 * @return bool */ public function valid_ip($ip, $which = '') { $which = strtolower($which); // first check if filter_var is available if (is_callable('filter_var')) { switch ($which) { case 'ipv4': $flag = filter_flag_ipv4; break; case 'ipv6': $flag = filter_flag_ipv6; break; default: $flag = ''; break; } return (bool) filter_var($ip, filter_validate_ip, $flag); } if ($which !== 'ipv6' && $which !== 'ipv4') { if (strpos($ip, ':') !== false) { $which = 'ipv6'; } elseif (strpos($ip, '.') !== false) { $which = 'ipv4'; } else { return false; } } $func = '_valid_'.$which; return $this->$func($ip); } // -------------------------------- /** * validate ipv4 address * 验证ipv4地址 * updated version suggested by geert de deckere * * @access protected * @param string * @return bool */ protected function _valid_ipv4($ip) { $ip_segments = explode('.', $ip); // always 4 segments needed if (count($ip_segments) !== 4) { return false; } // ip can not start with 0 if ($ip_segments[0][0] == '0') { return false; } // check each segment foreach ($ip_segments as $segment) { // ip segments must be digits and can not be // longer than 3 digits or greater then 255 if ($segment == '' or preg_match(/[^0-9]/, $segment) or $segment > 255 or strlen($segment) > 3) { return false; } } return true; } // -------------------------------- /** * validate ipv6 address * 验证ipv6地址 * @access protected * @param string * @return bool */ protected function _valid_ipv6($str) { // 8 groups, separated by : // 0-ffff per group // one set of consecutive 0 groups can be collapsed to :: $groups = 8; $collapsed = false; $chunks = array_filter( preg_split('/(:{1,2})/', $str, null, preg_split_delim_capture) ); // rule out easy nonsense if (current($chunks) == ':' or end($chunks) == ':') { return false; } // php supports ipv4-mapped ipv6 addresses, so we'll expect those as well if (strpos(end($chunks), '.') !== false) { $ipv4 = array_pop($chunks); if ( ! $this->_valid_ipv4($ipv4)) { return false; } $groups--; } while ($seg = array_pop($chunks)) { if ($seg[0] == ':') { if (--$groups == 0) { return false; // too many groups } if (strlen($seg) > 2) { return false; // long separator } if ($seg == '::') { if ($collapsed) { return false; // multiple collapsed } $collapsed = true; } } elseif (preg_match(/[^0-9a-f]/i, $seg) or strlen($seg) > 4) { return false; // invalid segment } } return $collapsed or $groups == 1; } // -------------------------------- /** * user agent * 返回当前用户正在使用的浏览器的user agent信息。 如果不能得到数据，返回false。 * 一般user_agent为空的时候被认定为手机访问，或者curl的抓取，或则会蜘蛛抓取 * @access public * @return string */ function user_agent() { if ($this->user_agent !== false) { return $this->user_agent; } $this->user_agent = ( ! isset($_server['http_user_agent'])) ? false : $_server['http_user_agent']; return $this->user_agent; } // -------------------------------- /** * sanitize globals * 清理全局数组 * this function does the following: * 这个函数做了下面的操作： * unsets $_get data (if query strings are not enabled) * 销毁$_get （如果query strings 没有开启） * unsets all globals if register_globals is enabled * 销毁所有全局数组如果register_globals开启 * * standardizes newline characters to \n * 标准化换行符\n * @access private * @return void */ function _sanitize_globals() { // it would be wrong to unset any of these globals. // 销毁下面的全局数组将是错误的。 $protected = array('_server', '_get', '_post', '_files', '_request', '_session', '_env', 'globals', 'http_raw_post_data', 'system_folder', 'application_folder', 'bm', 'ext', 'cfg', 'uri', 'rtr', 'out', 'in'); // unset globals for securiy.为了安全销毁除了上面之外的全局数组 // this is effectively the same as register_globals = off // 这样的效果和register_globals是相同的 // 经过下面处理后，所有的非保护的全局变量将被删除掉 foreach (array($_get, $_post, $_cookie) as $global) { if ( ! is_array($global)) { if ( ! in_array($global, $protected)) { global $$global; $$global = null; } } else { foreach ($global as $key => $val) { if ( ! in_array($key, $protected)) { global $$key; $$key = null; } } } } // is $_get data allowed? if not we'll set the $_get to an empty array // 是否允许$_get数据？ 如果不允许的话，设置$_get为空数组 if ($this->_allow_get_array == false) { $_get = array(); } else { if (is_array($_get) and count($_get) > 0) { foreach ($_get as $key => $val) { $_get[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } } } // clean $_post data // 过滤$_post 数组 if (is_array($_post) and count($_post) > 0) { foreach ($_post as $key => $val) { $_post[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } } // clean $_cookie data // 过滤$_cookie数组 if (is_array($_cookie) and count($_cookie) > 0) { // also get rid of specially treated cookies that might be set by a server // or silly application, that are of no use to a ci application anyway // but that when present will trip our 'disallowed key characters' alarm // http://www.ietf.org/rfc/rfc2109.txt // note that the key names below are single quoted strings, and are not php variables unset($_cookie['$version']); unset($_cookie['$path']); unset($_cookie['$domain']); foreach ($_cookie as $key => $val) { $_cookie[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } } // sanitize php_self $_server['php_self'] = strip_tags($_server['php_self']); // csrf protection check on http requests // ｃｓｒｆ保护检测http请求 if ($this->_enable_csrf == true && ! $this->is_cli_request()) { $this->security->csrf_verify(); } log_message('debug', global post and cookie data sanitized); } // -------------------------------- /** * clean input data * 过滤input数据 * this is a helper function. it escapes data and * standardizes newline characters to \n * * @access private * @param string * @return string */ function _clean_input_data($str) { if (is_array($str)) { $new_array = array(); foreach ($str as $key => $val) { $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val); } return $new_array; } /* we strip slashes if magic quotes is on to keep things consistent 如果小于php5.4版本，并且get_magic_quotes_gpc开启了，则去掉斜线。 note: in php 5.4 get_magic_quotes_gpc() will always return 0 and it will probably not exist in future versions at all。 注意：在php5.4及之后版本，get_magic_quotes_gpc()将总是返回0， 在后续版本中可能会移除该特性 */ if ( ! is_php('5.4') && get_magic_quotes_gpc()) { $str = stripslashes($str); } // clean utf-8 if supported 如果支持清理utf8 if (utf8_enabled === true) { $str = $this->uni->clean_string($str); } // remove control characters $str = remove_invisible_characters($str); // should we filter the input data? if ($this->_enable_xss === true) { $str = $this->security->xss_clean($str); } // standardize newlines if needed if ($this->_standardize_newlines == true) { if (strpos($str, \r) !== false) { $str = str_replace(array(\r\n, \r, \r\n\n), php_eol, $str); } } return $str; } // -------------------------------- /** * clean keys * 过滤键值 * this is a helper function. to prevent malicious users * from trying to exploit keys we make sure that keys are * only named with alpha-numeric text and a few other items. * * @access private * @param string * @return string */ function _clean_input_keys($str) { if ( ! preg_match(/^[a-z0-9:_\/-]+$/i, $str)) { exit('disallowed key characters.'); } // clean utf-8 if supported if (utf8_enabled === true) { $str = $this->uni->clean_string($str); } return $str; } // -------------------------------- /** * request headers * 返回请求头（header）数组。 * in apache, you can simply call apache_request_headers(), however for * people running other webservers the function is undefined. * * @param bool xss cleaning * * @return array */ public function request_headers($xss_clean = false) { // look at apache go! if (function_exists('apache_request_headers')) { $headers = apache_request_headers(); } else { $headers['content-type'] = (isset($_server['content_type'])) ? $_server['content_type'] : @getenv('content_type'); foreach ($_server as $key => $val) { if (strncmp($key, 'http_', 5) === 0) { $headers[substr($key, 5)] = $this->_fetch_from_array($_server, $key, $xss_clean); } } } // take some_header and turn it into some-header foreach ($headers as $key => $val) { $key = str_replace('_', ' ', strtolower($key)); $key = str_replace(' ', '-', ucwords($key)); $this->headers[$key] = $val; } return $this->headers; } // -------------------------------- /** * get request header * 返回请求头（request header）数组中某一个元素的值 * returns the value of a single member of the headers class member * * @param string array key for $this->headers * @param boolean xss clean or not * @return mixed false on failure, string on success */ public function get_request_header($index, $xss_clean = false) { if (empty($this->headers)) { $this->request_headers(); } if ( ! isset($this->headers[$index])) { return false; } if ($xss_clean === true) { return $this->security->xss_clean($this->headers[$index]); } return $this->headers[$index]; } // -------------------------------- /** * is ajax request? * 判断是否为ajax请求 * test to see if a request contains the http_x_requested_with header * * @return boolean */ public function is_ajax_request() { return ($this->server('http_x_requested_with') === 'xmlhttprequest'); } // -------------------------------- /** * is cli request? * 判断是否来自cli请求 * test to see if a request was made from the command line * * @return bool */ public function is_cli_request() { return (php_sapi_name() === 'cli' or defined('stdin')); }}/* end of file input.php *//* location: ./system/core/input.php */