You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

895 lines
22 KiB

7 years ago
  1. <?php
  2. /**
  3. * CodeIgniter
  4. *
  5. * An open source application development framework for PHP
  6. *
  7. * This content is released under the MIT License (MIT)
  8. *
  9. * Copyright (c) 2014 - 2017, British Columbia Institute of Technology
  10. *
  11. * Permission is hereby granted, free of charge, to any person obtaining a copy
  12. * of this software and associated documentation files (the "Software"), to deal
  13. * in the Software without restriction, including without limitation the rights
  14. * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  15. * copies of the Software, and to permit persons to whom the Software is
  16. * furnished to do so, subject to the following conditions:
  17. *
  18. * The above copyright notice and this permission notice shall be included in
  19. * all copies or substantial portions of the Software.
  20. *
  21. * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  22. * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  23. * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  24. * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  25. * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  26. * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  27. * THE SOFTWARE.
  28. *
  29. * @package CodeIgniter
  30. * @author EllisLab Dev Team
  31. * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
  32. * @copyright Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/)
  33. * @license http://opensource.org/licenses/MIT MIT License
  34. * @link https://codeigniter.com
  35. * @since Version 1.0.0
  36. * @filesource
  37. */
  38. defined('BASEPATH') OR exit('No direct script access allowed');
  39. /**
  40. * Input Class
  41. *
  42. * Pre-processes global input data for security
  43. *
  44. * @package CodeIgniter
  45. * @subpackage Libraries
  46. * @category Input
  47. * @author EllisLab Dev Team
  48. * @link https://codeigniter.com/user_guide/libraries/input.html
  49. */
  50. class CI_Input {
  51. /**
  52. * IP address of the current user
  53. *
  54. * @var string
  55. */
  56. protected $ip_address = FALSE;
  57. /**
  58. * Allow GET array flag
  59. *
  60. * If set to FALSE, then $_GET will be set to an empty array.
  61. *
  62. * @var bool
  63. */
  64. protected $_allow_get_array = TRUE;
  65. /**
  66. * Standardize new lines flag
  67. *
  68. * If set to TRUE, then newlines are standardized.
  69. *
  70. * @var bool
  71. */
  72. protected $_standardize_newlines;
  73. /**
  74. * Enable XSS flag
  75. *
  76. * Determines whether the XSS filter is always active when
  77. * GET, POST or COOKIE data is encountered.
  78. * Set automatically based on config setting.
  79. *
  80. * @var bool
  81. */
  82. protected $_enable_xss = FALSE;
  83. /**
  84. * Enable CSRF flag
  85. *
  86. * Enables a CSRF cookie token to be set.
  87. * Set automatically based on config setting.
  88. *
  89. * @var bool
  90. */
  91. protected $_enable_csrf = FALSE;
  92. /**
  93. * List of all HTTP request headers
  94. *
  95. * @var array
  96. */
  97. protected $headers = array();
  98. /**
  99. * Raw input stream data
  100. *
  101. * Holds a cache of php://input contents
  102. *
  103. * @var string
  104. */
  105. protected $_raw_input_stream;
  106. /**
  107. * Parsed input stream data
  108. *
  109. * Parsed from php://input at runtime
  110. *
  111. * @see CI_Input::input_stream()
  112. * @var array
  113. */
  114. protected $_input_stream;
  115. protected $security;
  116. protected $uni;
  117. // --------------------------------------------------------------------
  118. /**
  119. * Class constructor
  120. *
  121. * Determines whether to globally enable the XSS processing
  122. * and whether to allow the $_GET array.
  123. *
  124. * @return void
  125. */
  126. public function __construct()
  127. {
  128. $this->_allow_get_array = (config_item('allow_get_array') === TRUE);
  129. $this->_enable_xss = (config_item('global_xss_filtering') === TRUE);
  130. $this->_enable_csrf = (config_item('csrf_protection') === TRUE);
  131. $this->_standardize_newlines = (bool) config_item('standardize_newlines');
  132. $this->security =& load_class('Security', 'core');
  133. // Do we need the UTF-8 class?
  134. if (UTF8_ENABLED === TRUE)
  135. {
  136. $this->uni =& load_class('Utf8', 'core');
  137. }
  138. // Sanitize global arrays
  139. $this->_sanitize_globals();
  140. // CSRF Protection check
  141. if ($this->_enable_csrf === TRUE && ! is_cli())
  142. {
  143. $this->security->csrf_verify();
  144. }
  145. log_message('info', 'Input Class Initialized');
  146. }
  147. // --------------------------------------------------------------------
  148. /**
  149. * Fetch from array
  150. *
  151. * Internal method used to retrieve values from global arrays.
  152. *
  153. * @param array &$array $_GET, $_POST, $_COOKIE, $_SERVER, etc.
  154. * @param mixed $index Index for item to be fetched from $array
  155. * @param bool $xss_clean Whether to apply XSS filtering
  156. * @return mixed
  157. */
  158. protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL)
  159. {
  160. is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
  161. // If $index is NULL, it means that the whole $array is requested
  162. isset($index) OR $index = array_keys($array);
  163. // allow fetching multiple keys at once
  164. if (is_array($index))
  165. {
  166. $output = array();
  167. foreach ($index as $key)
  168. {
  169. $output[$key] = $this->_fetch_from_array($array, $key, $xss_clean);
  170. }
  171. return $output;
  172. }
  173. if (isset($array[$index]))
  174. {
  175. $value = $array[$index];
  176. }
  177. elseif (($count = preg_match_all('/(?:^[^\[]+)|\[[^]]*\]/', $index, $matches)) > 1) // Does the index contain array notation
  178. {
  179. $value = $array;
  180. for ($i = 0; $i < $count; $i++)
  181. {
  182. $key = trim($matches[0][$i], '[]');
  183. if ($key === '') // Empty notation will return the value as array
  184. {
  185. break;
  186. }
  187. if (isset($value[$key]))
  188. {
  189. $value = $value[$key];
  190. }
  191. else
  192. {
  193. return NULL;
  194. }
  195. }
  196. }
  197. else
  198. {
  199. return NULL;
  200. }
  201. return ($xss_clean === TRUE)
  202. ? $this->security->xss_clean($value)
  203. : $value;
  204. }
  205. // --------------------------------------------------------------------
  206. /**
  207. * Fetch an item from the GET array
  208. *
  209. * @param mixed $index Index for item to be fetched from $_GET
  210. * @param bool $xss_clean Whether to apply XSS filtering
  211. * @return mixed
  212. */
  213. public function get($index = NULL, $xss_clean = NULL)
  214. {
  215. return $this->_fetch_from_array($_GET, $index, $xss_clean);
  216. }
  217. // --------------------------------------------------------------------
  218. /**
  219. * Fetch an item from the POST array
  220. *
  221. * @param mixed $index Index for item to be fetched from $_POST
  222. * @param bool $xss_clean Whether to apply XSS filtering
  223. * @return mixed
  224. */
  225. public function post($index = NULL, $xss_clean = NULL)
  226. {
  227. return $this->_fetch_from_array($_POST, $index, $xss_clean);
  228. }
  229. // --------------------------------------------------------------------
  230. /**
  231. * Fetch an item from POST data with fallback to GET
  232. *
  233. * @param string $index Index for item to be fetched from $_POST or $_GET
  234. * @param bool $xss_clean Whether to apply XSS filtering
  235. * @return mixed
  236. */
  237. public function post_get($index, $xss_clean = NULL)
  238. {
  239. return isset($_POST[$index])
  240. ? $this->post($index, $xss_clean)
  241. : $this->get($index, $xss_clean);
  242. }
  243. // --------------------------------------------------------------------
  244. /**
  245. * Fetch an item from GET data with fallback to POST
  246. *
  247. * @param string $index Index for item to be fetched from $_GET or $_POST
  248. * @param bool $xss_clean Whether to apply XSS filtering
  249. * @return mixed
  250. */
  251. public function get_post($index, $xss_clean = NULL)
  252. {
  253. return isset($_GET[$index])
  254. ? $this->get($index, $xss_clean)
  255. : $this->post($index, $xss_clean);
  256. }
  257. // --------------------------------------------------------------------
  258. /**
  259. * Fetch an item from the COOKIE array
  260. *
  261. * @param mixed $index Index for item to be fetched from $_COOKIE
  262. * @param bool $xss_clean Whether to apply XSS filtering
  263. * @return mixed
  264. */
  265. public function cookie($index = NULL, $xss_clean = NULL)
  266. {
  267. return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
  268. }
  269. // --------------------------------------------------------------------
  270. /**
  271. * Fetch an item from the SERVER array
  272. *
  273. * @param mixed $index Index for item to be fetched from $_SERVER
  274. * @param bool $xss_clean Whether to apply XSS filtering
  275. * @return mixed
  276. */
  277. public function server($index, $xss_clean = NULL)
  278. {
  279. return $this->_fetch_from_array($_SERVER, $index, $xss_clean);
  280. }
  281. // ------------------------------------------------------------------------
  282. /**
  283. * Fetch an item from the php://input stream
  284. *
  285. * Useful when you need to access PUT, DELETE or PATCH request data.
  286. *
  287. * @param string $index Index for item to be fetched
  288. * @param bool $xss_clean Whether to apply XSS filtering
  289. * @return mixed
  290. */
  291. public function input_stream($index = NULL, $xss_clean = NULL)
  292. {
  293. // Prior to PHP 5.6, the input stream can only be read once,
  294. // so we'll need to check if we have already done that first.
  295. if ( ! is_array($this->_input_stream))
  296. {
  297. // $this->raw_input_stream will trigger __get().
  298. parse_str($this->raw_input_stream, $this->_input_stream);
  299. is_array($this->_input_stream) OR $this->_input_stream = array();
  300. }
  301. return $this->_fetch_from_array($this->_input_stream, $index, $xss_clean);
  302. }
  303. // ------------------------------------------------------------------------
  304. /**
  305. * Set cookie
  306. *
  307. * Accepts an arbitrary number of parameters (up to 7) or an associative
  308. * array in the first parameter containing all the values.
  309. *
  310. * @param string|mixed[] $name Cookie name or an array containing parameters
  311. * @param string $value Cookie value
  312. * @param int $expire Cookie expiration time in seconds
  313. * @param string $domain Cookie domain (e.g.: '.yourdomain.com')
  314. * @param string $path Cookie path (default: '/')
  315. * @param string $prefix Cookie name prefix
  316. * @param bool $secure Whether to only transfer cookies via SSL
  317. * @param bool $httponly Whether to only makes the cookie accessible via HTTP (no javascript)
  318. * @return void
  319. */
  320. public function set_cookie($name, $value = '', $expire = '', $domain = '', $path = '/', $prefix = '', $secure = NULL, $httponly = NULL)
  321. {
  322. if (is_array($name))
  323. {
  324. // always leave 'name' in last place, as the loop will break otherwise, due to $$item
  325. foreach (array('value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name') as $item)
  326. {
  327. if (isset($name[$item]))
  328. {
  329. $$item = $name[$item];
  330. }
  331. }
  332. }
  333. if ($prefix === '' && config_item('cookie_prefix') !== '')
  334. {
  335. $prefix = config_item('cookie_prefix');
  336. }
  337. if ($domain == '' && config_item('cookie_domain') != '')
  338. {
  339. $domain = config_item('cookie_domain');
  340. }
  341. if ($path === '/' && config_item('cookie_path') !== '/')
  342. {
  343. $path = config_item('cookie_path');
  344. }
  345. $secure = ($secure === NULL && config_item('cookie_secure') !== NULL)
  346. ? (bool) config_item('cookie_secure')
  347. : (bool) $secure;
  348. $httponly = ($httponly === NULL && config_item('cookie_httponly') !== NULL)
  349. ? (bool) config_item('cookie_httponly')
  350. : (bool) $httponly;
  351. if ( ! is_numeric($expire))
  352. {
  353. $expire = time() - 86500;
  354. }
  355. else
  356. {
  357. $expire = ($expire > 0) ? time() + $expire : 0;
  358. }
  359. setcookie($prefix.$name, $value, $expire, $path, $domain, $secure, $httponly);
  360. }
  361. // --------------------------------------------------------------------
  362. /**
  363. * Fetch the IP Address
  364. *
  365. * Determines and validates the visitor's IP address.
  366. *
  367. * @return string IP address
  368. */
  369. public function ip_address()
  370. {
  371. if ($this->ip_address !== FALSE)
  372. {
  373. return $this->ip_address;
  374. }
  375. $proxy_ips = config_item('proxy_ips');
  376. if ( ! empty($proxy_ips) && ! is_array($proxy_ips))
  377. {
  378. $proxy_ips = explode(',', str_replace(' ', '', $proxy_ips));
  379. }
  380. $this->ip_address = $this->server('REMOTE_ADDR');
  381. if ($proxy_ips)
  382. {
  383. foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP') as $header)
  384. {
  385. if (($spoof = $this->server($header)) !== NULL)
  386. {
  387. // Some proxies typically list the whole chain of IP
  388. // addresses through which the client has reached us.
  389. // e.g. client_ip, proxy_ip1, proxy_ip2, etc.
  390. sscanf($spoof, '%[^,]', $spoof);
  391. if ( ! $this->valid_ip($spoof))
  392. {
  393. $spoof = NULL;
  394. }
  395. else
  396. {
  397. break;
  398. }
  399. }
  400. }
  401. if ($spoof)
  402. {
  403. for ($i = 0, $c = count($proxy_ips); $i < $c; $i++)
  404. {
  405. // Check if we have an IP address or a subnet
  406. if (strpos($proxy_ips[$i], '/') === FALSE)
  407. {
  408. // An IP address (and not a subnet) is specified.
  409. // We can compare right away.
  410. if ($proxy_ips[$i] === $this->ip_address)
  411. {
  412. $this->ip_address = $spoof;
  413. break;
  414. }
  415. continue;
  416. }
  417. // We have a subnet ... now the heavy lifting begins
  418. isset($separator) OR $separator = $this->valid_ip($this->ip_address, 'ipv6') ? ':' : '.';
  419. // If the proxy entry doesn't match the IP protocol - skip it
  420. if (strpos($proxy_ips[$i], $separator) === FALSE)
  421. {
  422. continue;
  423. }
  424. // Convert the REMOTE_ADDR IP address to binary, if needed
  425. if ( ! isset($ip, $sprintf))
  426. {
  427. if ($separator === ':')
  428. {
  429. // Make sure we're have the "full" IPv6 format
  430. $ip = explode(':',
  431. str_replace('::',
  432. str_repeat(':', 9 - substr_count($this->ip_address, ':')),
  433. $this->ip_address
  434. )
  435. );
  436. for ($j = 0; $j < 8; $j++)
  437. {
  438. $ip[$j] = intval($ip[$j], 16);
  439. }
  440. $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b';
  441. }
  442. else
  443. {
  444. $ip = explode('.', $this->ip_address);
  445. $sprintf = '%08b%08b%08b%08b';
  446. }
  447. $ip = vsprintf($sprintf, $ip);
  448. }
  449. // Split the netmask length off the network address
  450. sscanf($proxy_ips[$i], '%[^/]/%d', $netaddr, $masklen);
  451. // Again, an IPv6 address is most likely in a compressed form
  452. if ($separator === ':')
  453. {
  454. $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr));
  455. for ($j = 0; $j < 8; $j++)
  456. {
  457. $netaddr[$j] = intval($netaddr[$j], 16);
  458. }
  459. }
  460. else
  461. {
  462. $netaddr = explode('.', $netaddr);
  463. }
  464. // Convert to binary and finally compare
  465. if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0)
  466. {
  467. $this->ip_address = $spoof;
  468. break;
  469. }
  470. }
  471. }
  472. }
  473. if ( ! $this->valid_ip($this->ip_address))
  474. {
  475. return $this->ip_address = '0.0.0.0';
  476. }
  477. return $this->ip_address;
  478. }
  479. // --------------------------------------------------------------------
  480. /**
  481. * Validate IP Address
  482. *
  483. * @param string $ip IP address
  484. * @param string $which IP protocol: 'ipv4' or 'ipv6'
  485. * @return bool
  486. */
  487. public function valid_ip($ip, $which = '')
  488. {
  489. switch (strtolower($which))
  490. {
  491. case 'ipv4':
  492. $which = FILTER_FLAG_IPV4;
  493. break;
  494. case 'ipv6':
  495. $which = FILTER_FLAG_IPV6;
  496. break;
  497. default:
  498. $which = NULL;
  499. break;
  500. }
  501. return (bool) filter_var($ip, FILTER_VALIDATE_IP, $which);
  502. }
  503. // --------------------------------------------------------------------
  504. /**
  505. * Fetch User Agent string
  506. *
  507. * @return string|null User Agent string or NULL if it doesn't exist
  508. */
  509. public function user_agent($xss_clean = NULL)
  510. {
  511. return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean);
  512. }
  513. // --------------------------------------------------------------------
  514. /**
  515. * Sanitize Globals
  516. *
  517. * Internal method serving for the following purposes:
  518. *
  519. * - Unsets $_GET data, if query strings are not enabled
  520. * - Cleans POST, COOKIE and SERVER data
  521. * - Standardizes newline characters to PHP_EOL
  522. *
  523. * @return void
  524. */
  525. protected function _sanitize_globals()
  526. {
  527. // Is $_GET data allowed? If not we'll set the $_GET to an empty array
  528. if ($this->_allow_get_array === FALSE)
  529. {
  530. $_GET = array();
  531. }
  532. elseif (is_array($_GET))
  533. {
  534. foreach ($_GET as $key => $val)
  535. {
  536. $_GET[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
  537. }
  538. }
  539. // Clean $_POST Data
  540. if (is_array($_POST))
  541. {
  542. foreach ($_POST as $key => $val)
  543. {
  544. $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
  545. }
  546. }
  547. // Clean $_COOKIE Data
  548. if (is_array($_COOKIE))
  549. {
  550. // Also get rid of specially treated cookies that might be set by a server
  551. // or silly application, that are of no use to a CI application anyway
  552. // but that when present will trip our 'Disallowed Key Characters' alarm
  553. // http://www.ietf.org/rfc/rfc2109.txt
  554. // note that the key names below are single quoted strings, and are not PHP variables
  555. unset(
  556. $_COOKIE['$Version'],
  557. $_COOKIE['$Path'],
  558. $_COOKIE['$Domain']
  559. );
  560. foreach ($_COOKIE as $key => $val)
  561. {
  562. if (($cookie_key = $this->_clean_input_keys($key)) !== FALSE)
  563. {
  564. $_COOKIE[$cookie_key] = $this->_clean_input_data($val);
  565. }
  566. else
  567. {
  568. unset($_COOKIE[$key]);
  569. }
  570. }
  571. }
  572. // Sanitize PHP_SELF
  573. $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
  574. log_message('debug', 'Global POST, GET and COOKIE data sanitized');
  575. }
  576. // --------------------------------------------------------------------
  577. /**
  578. * Clean Input Data
  579. *
  580. * Internal method that aids in escaping data and
  581. * standardizing newline characters to PHP_EOL.
  582. *
  583. * @param string|string[] $str Input string(s)
  584. * @return string
  585. */
  586. protected function _clean_input_data($str)
  587. {
  588. if (is_array($str))
  589. {
  590. $new_array = array();
  591. foreach (array_keys($str) as $key)
  592. {
  593. $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($str[$key]);
  594. }
  595. return $new_array;
  596. }
  597. /* We strip slashes if magic quotes is on to keep things consistent
  598. NOTE: In PHP 5.4 get_magic_quotes_gpc() will always return 0 and
  599. it will probably not exist in future versions at all.
  600. */
  601. if ( ! is_php('5.4') && get_magic_quotes_gpc())
  602. {
  603. $str = stripslashes($str);
  604. }
  605. // Clean UTF-8 if supported
  606. if (UTF8_ENABLED === TRUE)
  607. {
  608. $str = $this->uni->clean_string($str);
  609. }
  610. // Remove control characters
  611. $str = remove_invisible_characters($str, FALSE);
  612. // Standardize newlines if needed
  613. if ($this->_standardize_newlines === TRUE)
  614. {
  615. return preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $str);
  616. }
  617. return $str;
  618. }
  619. // --------------------------------------------------------------------
  620. /**
  621. * Clean Keys
  622. *
  623. * Internal method that helps to prevent malicious users
  624. * from trying to exploit keys we make sure that keys are
  625. * only named with alpha-numeric text and a few other items.
  626. *
  627. * @param string $str Input string
  628. * @param bool $fatal Whether to terminate script exection
  629. * or to return FALSE if an invalid
  630. * key is encountered
  631. * @return string|bool
  632. */
  633. protected function _clean_input_keys($str, $fatal = TRUE)
  634. {
  635. if ( ! preg_match('/^[a-z0-9:_\/|-]+$/i', $str))
  636. {
  637. if ($fatal === TRUE)
  638. {
  639. return FALSE;
  640. }
  641. else
  642. {
  643. set_status_header(503);
  644. echo 'Disallowed Key Characters.';
  645. exit(7); // EXIT_USER_INPUT
  646. }
  647. }
  648. // Clean UTF-8 if supported
  649. if (UTF8_ENABLED === TRUE)
  650. {
  651. return $this->uni->clean_string($str);
  652. }
  653. return $str;
  654. }
  655. // --------------------------------------------------------------------
  656. /**
  657. * Request Headers
  658. *
  659. * @param bool $xss_clean Whether to apply XSS filtering
  660. * @return array
  661. */
  662. public function request_headers($xss_clean = FALSE)
  663. {
  664. // If header is already defined, return it immediately
  665. if ( ! empty($this->headers))
  666. {
  667. return $this->_fetch_from_array($this->headers, NULL, $xss_clean);
  668. }
  669. // In Apache, you can simply call apache_request_headers()
  670. if (function_exists('apache_request_headers'))
  671. {
  672. $this->headers = apache_request_headers();
  673. }
  674. else
  675. {
  676. isset($_SERVER['CONTENT_TYPE']) && $this->headers['Content-Type'] = $_SERVER['CONTENT_TYPE'];
  677. foreach ($_SERVER as $key => $val)
  678. {
  679. if (sscanf($key, 'HTTP_%s', $header) === 1)
  680. {
  681. // take SOME_HEADER and turn it into Some-Header
  682. $header = str_replace('_', ' ', strtolower($header));
  683. $header = str_replace(' ', '-', ucwords($header));
  684. $this->headers[$header] = $_SERVER[$key];
  685. }
  686. }
  687. }
  688. return $this->_fetch_from_array($this->headers, NULL, $xss_clean);
  689. }
  690. // --------------------------------------------------------------------
  691. /**
  692. * Get Request Header
  693. *
  694. * Returns the value of a single member of the headers class member
  695. *
  696. * @param string $index Header name
  697. * @param bool $xss_clean Whether to apply XSS filtering
  698. * @return string|null The requested header on success or NULL on failure
  699. */
  700. public function get_request_header($index, $xss_clean = FALSE)
  701. {
  702. static $headers;
  703. if ( ! isset($headers))
  704. {
  705. empty($this->headers) && $this->request_headers();
  706. foreach ($this->headers as $key => $value)
  707. {
  708. $headers[strtolower($key)] = $value;
  709. }
  710. }
  711. $index = strtolower($index);
  712. if ( ! isset($headers[$index]))
  713. {
  714. return NULL;
  715. }
  716. return ($xss_clean === TRUE)
  717. ? $this->security->xss_clean($headers[$index])
  718. : $headers[$index];
  719. }
  720. // --------------------------------------------------------------------
  721. /**
  722. * Is AJAX request?
  723. *
  724. * Test to see if a request contains the HTTP_X_REQUESTED_WITH header.
  725. *
  726. * @return bool
  727. */
  728. public function is_ajax_request()
  729. {
  730. return ( ! empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest');
  731. }
  732. // --------------------------------------------------------------------
  733. /**
  734. * Is CLI request?
  735. *
  736. * Test to see if a request was made from the command line.
  737. *
  738. * @deprecated 3.0.0 Use is_cli() instead
  739. * @return bool
  740. */
  741. public function is_cli_request()
  742. {
  743. return is_cli();
  744. }
  745. // --------------------------------------------------------------------
  746. /**
  747. * Get Request Method
  748. *
  749. * Return the request method
  750. *
  751. * @param bool $upper Whether to return in upper or lower case
  752. * (default: FALSE)
  753. * @return string
  754. */
  755. public function method($upper = FALSE)
  756. {
  757. return ($upper)
  758. ? strtoupper($this->server('REQUEST_METHOD'))
  759. : strtolower($this->server('REQUEST_METHOD'));
  760. }
  761. // ------------------------------------------------------------------------
  762. /**
  763. * Magic __get()
  764. *
  765. * Allows read access to protected properties
  766. *
  767. * @param string $name
  768. * @return mixed
  769. */
  770. public function __get($name)
  771. {
  772. if ($name === 'raw_input_stream')
  773. {
  774. isset($this->_raw_input_stream) OR $this->_raw_input_stream = file_get_contents('php://input');
  775. return $this->_raw_input_stream;
  776. }
  777. elseif ($name === 'ip_address')
  778. {
  779. return $this->ip_address;
  780. }
  781. }
  782. }