/
BLX_Input.php
executable file
·141 lines (121 loc) · 3.32 KB
/
BLX_Input.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
<?php
/**
* MY_Input
*
* Allows CodeIgniter to be passed Query Strings
* NOTE! You must add the question mark '?' to the allowed URI chars,
* and set the URI protocol to PATH_INFO
*
* @package Flame
* @subpackage Hacks
* @copyright 2009, Jamie Rumbelow
* @author Jamie Rumbelow <http://www.jamierumbelow.net>
* @license GPLv3
* @version 1.0.0
*/
class BLX_Input extends CI_Input {
function _sanitize_globals()
{
$this->allow_get_array = TRUE;
// Would kind of be "wrong" to unset any of these GLOBALS
$protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA',
'system_folder', 'application_folder', 'BM', 'EXT', 'CFG', 'URI', 'RTR', 'OUT', 'IN');
// Unset globals for security.
// This is effectively the same as register_globals = off
foreach (array($_GET, $_POST, $_COOKIE, $_SERVER, $_FILES, $_ENV, (isset($_SESSION) && is_array($_SESSION)) ? $_SESSION : array()) as $global)
{
if ( ! is_array($global))
{
if ( ! in_array($global, $protected))
{
unset($GLOBALS[$global]);
}
}
else
{
foreach ($global as $key => $val)
{
if ( ! in_array($key, $protected))
{
unset($GLOBALS[$key]);
}
if (is_array($val))
{
foreach($val as $k => $v)
{
if ( ! in_array($k, $protected))
{
unset($GLOBALS[$k]);
}
}
}
}
}
}
// Is $_GET data allowed? If not we'll set the $_GET to an empty array
# need to refactor below lines. IT MUST BE CLEANED $_GET.
if ($this->allow_get_array == FALSE)
{
$_GET = array();
}
else
{
$_GET = $this->_clean_input_data($_GET);
}
// Clean $_POST Data
$_POST = $this->_clean_input_data($_POST);
// Clean $_COOKIE Data
// Also get rid of specially treated cookies that might be set by a server
// or silly application, that are of no use to a CI application anyway
// but that when present will trip our 'Disallowed Key Characters' alarm
// http://www.ietf.org/rfc/rfc2109.txt
// note that the key names below are single quoted strings, and are not PHP variables
unset($_COOKIE['$Version']);
unset($_COOKIE['$Path']);
unset($_COOKIE['$Domain']);
$_COOKIE = $this->_clean_input_data($_COOKIE);
log_message('debug', "Global POST and COOKIE data sanitized");
}
/*function _clean_input_data($str)//さくら/Multiviews対策
{
if (is_array($str))
{
$new_array = array();
foreach ($str as $key => $val)
{
$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
}
return $new_array;
}
// We strip slashes if magic quotes is on to keep things consistent
if (get_magic_quotes_gpc())
{
$str = stripslashes($str);
}
// Should we filter the input data?
if ($this->use_xss_clean === TRUE)
{
$str = $this->xss_clean($str);
}
// Standardize newlines
if (strpos($str, "\r") !== FALSE)
{
$str = str_replace(array("\r\n", "\r"), "\n", $str);
}
return $str;
}*/
function _clean_input_keys($str)//さくら/Multiviews対策
{
#$str = str_replace('_php', '', $str);
#print $str.'<hr />';
/*if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
{
exit('Disallowed Key Characters!');
}*/
return $str;
}
/*function _sanitize_globals() {
$this->allow_get_array = TRUE;
parent::_sanitize_globals();
}*/
}