1701 lines
39 KiB
PHP
1701 lines
39 KiB
PHP
<?php
|
|
/**
|
|
* Form Validation Class
|
|
*
|
|
* @package CodeIgniter
|
|
* @subpackage Libraries
|
|
* @category Validation
|
|
* @author ExpressionEngine Dev Team
|
|
* @link http://codeigniter.com/user_guide/libraries/form_validation.html
|
|
*/
|
|
class Form_validation {
|
|
|
|
protected $controller;
|
|
protected $_field_data = array();
|
|
protected $_config_rules = array();
|
|
protected $_error_array = array();
|
|
public $_error_messages = array();
|
|
protected $_error_prefix = '<p>';
|
|
protected $_error_suffix = '</p>';
|
|
protected $error_string = '';
|
|
protected $_safe_form_data = FALSE;
|
|
protected $lang = array();
|
|
/**
|
|
* Constructor
|
|
*/
|
|
public function __construct($rules = array())
|
|
{
|
|
$args = func_get_args();
|
|
// Validation rules can be stored in a config file.
|
|
$this->_config_rules = $rules;
|
|
|
|
$this->controller = $args[1];
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Set Rules
|
|
*
|
|
* This function takes an array of field names and validation
|
|
* rules as input, validates the info, and stores it
|
|
*
|
|
* @access public
|
|
* @param mixed
|
|
* @param string
|
|
* @return void
|
|
*/
|
|
public function set_rules($field, $label = '', $rules = '')
|
|
{
|
|
// No reason to set rules if we have no POST data
|
|
if (count($_POST) == 0)
|
|
{
|
|
return $this;
|
|
}
|
|
|
|
// If an array was passed via the first parameter instead of indidual string
|
|
// values we cycle through it and recursively call this function.
|
|
if (is_array($field))
|
|
{
|
|
foreach ($field as $row)
|
|
{
|
|
// Houston, we have a problem...
|
|
if ( ! isset($row['field']) OR ! isset($row['rules']))
|
|
{
|
|
continue;
|
|
}
|
|
|
|
// If the field label wasn't passed we use the field name
|
|
$label = ( ! isset($row['label'])) ? $row['field'] : $row['label'];
|
|
|
|
// Here we go!
|
|
$this->set_rules($row['field'], $label, $row['rules']);
|
|
}
|
|
return $this;
|
|
}
|
|
|
|
// No fields? Nothing to do...
|
|
if ( ! is_string($field) OR ! is_string($rules) OR $field == '')
|
|
{
|
|
return $this;
|
|
}
|
|
|
|
// If the field label wasn't passed we use the field name
|
|
$label = ($label == '') ? $field : $label;
|
|
|
|
// Is the field name an array? We test for the existence of a bracket "[" in
|
|
// the field name to determine this. If it is an array, we break it apart
|
|
// into its components so that we can fetch the corresponding POST data later
|
|
if (strpos($field, '[') !== FALSE AND preg_match_all('/\[(.*?)\]/', $field, $matches))
|
|
{
|
|
// Note: Due to a bug in current() that affects some versions
|
|
// of PHP we can not pass function call directly into it
|
|
$x = explode('[', $field);
|
|
$indexes[] = current($x);
|
|
|
|
for ($i = 0; $i < count($matches['0']); $i++)
|
|
{
|
|
if ($matches['1'][$i] != '')
|
|
{
|
|
$indexes[] = $matches['1'][$i];
|
|
}
|
|
}
|
|
|
|
$is_array = TRUE;
|
|
}
|
|
else
|
|
{
|
|
$indexes = array();
|
|
$is_array = FALSE;
|
|
}
|
|
|
|
// Build our master array
|
|
$this->_field_data[$field] = array(
|
|
'field' => $field,
|
|
'label' => $label,
|
|
'rules' => $rules,
|
|
'is_array' => $is_array,
|
|
'keys' => $indexes,
|
|
'postdata' => NULL,
|
|
'error' => ''
|
|
);
|
|
|
|
return $this;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Set Error Message
|
|
*
|
|
* Lets users set their own error messages on the fly. Note: The key
|
|
* name has to match the function name that it corresponds to.
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param string
|
|
* @return string
|
|
*/
|
|
public function set_message($lang, $val = '')
|
|
{
|
|
if ( ! is_array($lang))
|
|
{
|
|
$lang = array($lang => $val);
|
|
}
|
|
|
|
$this->_error_messages = array_merge($this->_error_messages, $lang);
|
|
|
|
return $this;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Set The Error Delimiter
|
|
*
|
|
* Permits a prefix/suffix to be added to each error message
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param string
|
|
* @return void
|
|
*/
|
|
public function set_error_delimiters($prefix = '<p>', $suffix = '</p>')
|
|
{
|
|
$this->_error_prefix = $prefix;
|
|
$this->_error_suffix = $suffix;
|
|
|
|
return $this;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Get Error Message
|
|
*
|
|
* Gets the error message associated with a particular field
|
|
*
|
|
* @access public
|
|
* @param string the field name
|
|
* @return void
|
|
*/
|
|
public function error($field = '', $prefix = '', $suffix = '')
|
|
{
|
|
if ( ! isset($this->_field_data[$field]['error']) OR $this->_field_data[$field]['error'] == '')
|
|
{
|
|
return '';
|
|
}
|
|
|
|
if ($prefix == '')
|
|
{
|
|
$prefix = $this->_error_prefix;
|
|
}
|
|
|
|
if ($suffix == '')
|
|
{
|
|
$suffix = $this->_error_suffix;
|
|
}
|
|
|
|
return $prefix.$this->_field_data[$field]['error'].$suffix;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Error String
|
|
*
|
|
* Returns the error messages as a string, wrapped in the error delimiters
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param string
|
|
* @return str
|
|
*/
|
|
public function error_string($prefix = '', $suffix = '')
|
|
{
|
|
// No errrors, validation passes!
|
|
if (count($this->_error_array) === 0)
|
|
{
|
|
return '';
|
|
}
|
|
|
|
if ($prefix == '')
|
|
{
|
|
$prefix = $this->_error_prefix;
|
|
}
|
|
|
|
if ($suffix == '')
|
|
{
|
|
$suffix = $this->_error_suffix;
|
|
}
|
|
|
|
// Generate the error string
|
|
$str = '';
|
|
foreach ($this->_error_array as $val)
|
|
{
|
|
if ($val != '')
|
|
{
|
|
$str .= $prefix.$val.$suffix."\n";
|
|
}
|
|
}
|
|
|
|
return $str;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Run the Validator
|
|
*
|
|
* This function does all the work.
|
|
*
|
|
* @access public
|
|
* @return bool
|
|
*/
|
|
public function run($group = '')
|
|
{
|
|
// Do we even have any data to process? Mm?
|
|
if (count($_POST) == 0)
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
// Does the _field_data array containing the validation rules exist?
|
|
// If not, we look to see if they were assigned via a config file
|
|
if (count($this->_field_data) == 0)
|
|
{
|
|
// No validation rules? We're done...
|
|
if (count($this->_config_rules) == 0)
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
$this->set_rules($this->_config_rules);
|
|
|
|
// We're we able to set the rules correctly?
|
|
if (count($this->_field_data) == 0)
|
|
{
|
|
log_message('debug', "Unable to find validation rules");
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
// Load the language file containing error messages
|
|
$lang['required'] = "Kolom %s harus diisi.";
|
|
$lang['isset'] = "Kolom %s tidak boleh kosong.";
|
|
$lang['valid_email'] = "Kolom %s harus berisi alamat email yang valid.";
|
|
$lang['valid_emails'] = "Kolom %s harus berisi alamat-alamat email yang valid.";
|
|
$lang['valid_url'] = "Kolom %s harus berisi URL yang valid.";
|
|
$lang['valid_ip'] = "Kolom %s harus berisi IP yang valid.";
|
|
$lang['min_length'] = "Kolom %s harus berisi minimal %s karakter.";
|
|
$lang['max_length'] = "Kolom %s tidak boleh lebih dari %s karakter.";
|
|
$lang['exact_length'] = "Kolom %s harus pas %s karakter.";
|
|
$lang['alpha'] = "Kolom %s hanya boleh berisi karakter huruf.";
|
|
$lang['alpha_numeric'] = "Kolom %s hanya boleh berisi karakter huruf-angka.";
|
|
$lang['alpha_dash'] = "Kolom %s hanya boleh berisi karakter huruf-angka, underscore (_) , dan dash (-).";
|
|
$lang['numeric'] = "Kolom %s harus berisi angka.";
|
|
$lang['is_numeric'] = "Kolom %s harus berisi karakter numerik.";
|
|
$lang['integer'] = "Kolom %s harus berisi integer.";
|
|
$lang['regex_match'] = "Kolom %s format salah.";
|
|
$lang['matches'] = "Kolom %s tidak cocok dengan kolom %s.";
|
|
$lang['is_unique'] = "Kolom %s harus berisi nilai yang unik.";
|
|
$lang['is_natural'] = "Kolom %s hanya boleh berisi angka positif.";
|
|
$lang['is_natural_no_zero'] = "Kolom %s harus lebih dari 0.";
|
|
$lang['decimal'] = "Kolom %s harus berisi angka desimal.";
|
|
$lang['less_than'] = "Kolom %s harus berisi angka yang kurang dari %s.";
|
|
$lang['greater_than'] = "Kolom %s harus berisi angka yang lebih dari %s.";
|
|
$this->lang = $lang;
|
|
|
|
// Cycle through the rules for each field, match the
|
|
// corresponding $_POST item and test for errors
|
|
foreach ($this->_field_data as $field => $row)
|
|
{
|
|
// Fetch the data from the corresponding $_POST array and cache it in the _field_data array.
|
|
// Depending on whether the field name is an array or a string will determine where we get it from.
|
|
|
|
if ($row['is_array'] == TRUE)
|
|
{
|
|
$this->_field_data[$field]['postdata'] = $this->_reduce_array($_POST, $row['keys']);
|
|
}
|
|
else
|
|
{
|
|
if (isset($_POST[$field]) AND $_POST[$field] != "")
|
|
{
|
|
$this->_field_data[$field]['postdata'] = $_POST[$field];
|
|
}
|
|
}
|
|
|
|
$this->_execute($row, explode('|', $row['rules']), $this->_field_data[$field]['postdata']);
|
|
}
|
|
|
|
// Did we end up with any errors?
|
|
$total_errors = count($this->_error_array);
|
|
|
|
if ($total_errors > 0)
|
|
{
|
|
$this->_safe_form_data = TRUE;
|
|
}
|
|
|
|
// Now we need to re-set the POST data with the new, processed data
|
|
$this->_reset_post_array();
|
|
|
|
// No errors, validation passes!
|
|
if ($total_errors == 0)
|
|
{
|
|
return TRUE;
|
|
}
|
|
|
|
// Validation fails
|
|
return FALSE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Traverse a multidimensional $_POST array index until the data is found
|
|
*
|
|
* @access private
|
|
* @param array
|
|
* @param array
|
|
* @param integer
|
|
* @return mixed
|
|
*/
|
|
protected function _reduce_array($array, $keys, $i = 0)
|
|
{
|
|
if (is_array($array))
|
|
{
|
|
if (isset($keys[$i]))
|
|
{
|
|
if (isset($array[$keys[$i]]))
|
|
{
|
|
$array = $this->_reduce_array($array[$keys[$i]], $keys, ($i+1));
|
|
}
|
|
else
|
|
{
|
|
return NULL;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
return $array;
|
|
}
|
|
}
|
|
|
|
return $array;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Re-populate the _POST array with our finalized and processed data
|
|
*
|
|
* @access private
|
|
* @return null
|
|
*/
|
|
protected function _reset_post_array()
|
|
{
|
|
foreach ($this->_field_data as $field => $row)
|
|
{
|
|
if ( ! is_null($row['postdata']))
|
|
{
|
|
if ($row['is_array'] == FALSE)
|
|
{
|
|
if (isset($_POST[$row['field']]))
|
|
{
|
|
$_POST[$row['field']] = $this->prep_for_form($row['postdata']);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// start with a reference
|
|
$post_ref =& $_POST;
|
|
|
|
// before we assign values, make a reference to the right POST key
|
|
if (count($row['keys']) == 1)
|
|
{
|
|
$post_ref =& $post_ref[current($row['keys'])];
|
|
}
|
|
else
|
|
{
|
|
foreach ($row['keys'] as $val)
|
|
{
|
|
$post_ref =& $post_ref[$val];
|
|
}
|
|
}
|
|
|
|
if (is_array($row['postdata']))
|
|
{
|
|
$array = array();
|
|
foreach ($row['postdata'] as $k => $v)
|
|
{
|
|
$array[$k] = $this->prep_for_form($v);
|
|
}
|
|
|
|
$post_ref = $array;
|
|
}
|
|
else
|
|
{
|
|
$post_ref = $this->prep_for_form($row['postdata']);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Executes the Validation routines
|
|
*
|
|
* @access private
|
|
* @param array
|
|
* @param array
|
|
* @param mixed
|
|
* @param integer
|
|
* @return mixed
|
|
*/
|
|
protected function _execute($row, $rules, $postdata = NULL, $cycles = 0)
|
|
{
|
|
// If the $_POST data is an array we will run a recursive call
|
|
if (is_array($postdata))
|
|
{
|
|
foreach ($postdata as $key => $val)
|
|
{
|
|
$this->_execute($row, $rules, $val, $cycles);
|
|
$cycles++;
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
// If the field is blank, but NOT required, no further tests are necessary
|
|
$callback = FALSE;
|
|
if ( ! in_array('required', $rules) AND is_null($postdata))
|
|
{
|
|
// Before we bail out, does the rule contain a callback?
|
|
if (preg_match("/(callback_\w+(\[.*?\])?)/", implode(' ', $rules), $match))
|
|
{
|
|
$callback = TRUE;
|
|
$rules = (array('1' => $match[1]));
|
|
}
|
|
else
|
|
{
|
|
return;
|
|
}
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
// Isset Test. Typically this rule will only apply to checkboxes.
|
|
if (is_null($postdata) AND $callback == FALSE)
|
|
{
|
|
if (in_array('isset', $rules, TRUE) OR in_array('required', $rules))
|
|
{
|
|
// Set the message type
|
|
$type = (in_array('required', $rules)) ? 'required' : 'isset';
|
|
|
|
if ( ! isset($this->_error_messages[$type]))
|
|
{
|
|
if (FALSE === ($line = $this->lang[$type]))
|
|
{
|
|
$line = 'The field was not set';
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$line = $this->_error_messages[$type];
|
|
}
|
|
|
|
// Build the error message
|
|
$message = sprintf($line, $this->_translate_fieldname($row['label']));
|
|
|
|
// Save the error message
|
|
$this->_field_data[$row['field']]['error'] = $message;
|
|
|
|
if ( ! isset($this->_error_array[$row['field']]))
|
|
{
|
|
$this->_error_array[$row['field']] = $message;
|
|
}
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
// Cycle through each rule and run it
|
|
foreach ($rules As $rule)
|
|
{
|
|
$_in_array = FALSE;
|
|
|
|
// We set the $postdata variable with the current data in our master array so that
|
|
// each cycle of the loop is dealing with the processed data from the last cycle
|
|
if ($row['is_array'] == TRUE AND is_array($this->_field_data[$row['field']]['postdata']))
|
|
{
|
|
// We shouldn't need this safety, but just in case there isn't an array index
|
|
// associated with this cycle we'll bail out
|
|
if ( ! isset($this->_field_data[$row['field']]['postdata'][$cycles]))
|
|
{
|
|
continue;
|
|
}
|
|
|
|
$postdata = $this->_field_data[$row['field']]['postdata'][$cycles];
|
|
$_in_array = TRUE;
|
|
}
|
|
else
|
|
{
|
|
$postdata = $this->_field_data[$row['field']]['postdata'];
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
// Is the rule a callback?
|
|
$callback = FALSE;
|
|
if (substr($rule, 0, 9) == 'callback_')
|
|
{
|
|
$rule = substr($rule, 9);
|
|
$callback = TRUE;
|
|
}
|
|
|
|
// Strip the parameter (if exists) from the rule
|
|
// Rules can contain a parameter: max_length[5]
|
|
$param = FALSE;
|
|
if (preg_match("/(.*?)\[(.*)\]/", $rule, $match))
|
|
{
|
|
$rule = $match[1];
|
|
$param = $match[2];
|
|
}
|
|
|
|
// Call the function that corresponds to the rule
|
|
if ($callback === TRUE)
|
|
{
|
|
if ( ! method_exists($this->controller, $rule))
|
|
{
|
|
continue;
|
|
}
|
|
|
|
// Run the function and grab the result
|
|
$result = $this->controller->$rule($postdata, $param);
|
|
|
|
// Re-assign the result to the master data array
|
|
if ($_in_array == TRUE)
|
|
{
|
|
$this->_field_data[$row['field']]['postdata'][$cycles] = (is_bool($result)) ? $postdata : $result;
|
|
}
|
|
else
|
|
{
|
|
$this->_field_data[$row['field']]['postdata'] = (is_bool($result)) ? $postdata : $result;
|
|
}
|
|
|
|
// If the field isn't required and we just processed a callback we'll move on...
|
|
if ( ! in_array('required', $rules, TRUE) AND $result !== FALSE)
|
|
{
|
|
continue;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if ( ! method_exists($this, $rule))
|
|
{
|
|
// If our own wrapper function doesn't exist we see if a native PHP function does.
|
|
// Users can use any native PHP function call that has one param.
|
|
if (function_exists($rule))
|
|
{
|
|
$result = $rule($postdata);
|
|
|
|
if ($_in_array == TRUE)
|
|
{
|
|
$this->_field_data[$row['field']]['postdata'][$cycles] = (is_bool($result)) ? $postdata : $result;
|
|
}
|
|
else
|
|
{
|
|
$this->_field_data[$row['field']]['postdata'] = (is_bool($result)) ? $postdata : $result;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
log_message('debug', "Unable to find validation rule: ".$rule);
|
|
}
|
|
|
|
continue;
|
|
}
|
|
|
|
$result = $this->$rule($postdata, $param);
|
|
|
|
if ($_in_array == TRUE)
|
|
{
|
|
$this->_field_data[$row['field']]['postdata'][$cycles] = (is_bool($result)) ? $postdata : $result;
|
|
}
|
|
else
|
|
{
|
|
$this->_field_data[$row['field']]['postdata'] = (is_bool($result)) ? $postdata : $result;
|
|
}
|
|
}
|
|
|
|
// Did the rule test negatively? If so, grab the error.
|
|
if ($result === FALSE)
|
|
{
|
|
if ( ! isset($this->_error_messages[$rule]))
|
|
{
|
|
if (FALSE === ($line = $this->lang[$rule]))
|
|
{
|
|
$line = 'Unable to access an error message corresponding to your field name.';
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$line = $this->_error_messages[$rule];
|
|
}
|
|
|
|
// Is the parameter we are inserting into the error message the name
|
|
// of another field? If so we need to grab its "field label"
|
|
if (isset($this->_field_data[$param]) AND isset($this->_field_data[$param]['label']))
|
|
{
|
|
$param = $this->_translate_fieldname($this->_field_data[$param]['label']);
|
|
}
|
|
|
|
// Build the error message
|
|
$message = sprintf($line, $this->_translate_fieldname($row['label']), $param);
|
|
|
|
// Save the error message
|
|
$this->_field_data[$row['field']]['error'] = $message;
|
|
|
|
if ( ! isset($this->_error_array[$row['field']]))
|
|
{
|
|
$this->_error_array[$row['field']] = $message;
|
|
}
|
|
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Translate a field name
|
|
*
|
|
* @access private
|
|
* @param string the field name
|
|
* @return string
|
|
*/
|
|
protected function _translate_fieldname($fieldname)
|
|
{
|
|
// Do we need to translate the field name?
|
|
// We look for the prefix lang: to determine this
|
|
if (substr($fieldname, 0, 5) == 'lang:')
|
|
{
|
|
// Grab the variable
|
|
$line = substr($fieldname, 5);
|
|
|
|
// Were we able to translate the field name? If not we use $line
|
|
if (FALSE === ($fieldname = $this->lang[$line]))
|
|
{
|
|
return $line;
|
|
}
|
|
}
|
|
|
|
return $fieldname;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Get the value from a form
|
|
*
|
|
* Permits you to repopulate a form field with the value it was submitted
|
|
* with, or, if that value doesn't exist, with the default
|
|
*
|
|
* @access public
|
|
* @param string the field name
|
|
* @param string
|
|
* @return void
|
|
*/
|
|
public function set_value($field = '', $default = '')
|
|
{
|
|
if ( ! isset($this->_field_data[$field]))
|
|
{
|
|
return $default;
|
|
}
|
|
|
|
// If the data is an array output them one at a time.
|
|
// E.g: form_input('name[]', set_value('name[]');
|
|
if (is_array($this->_field_data[$field]['postdata']))
|
|
{
|
|
return array_shift($this->_field_data[$field]['postdata']);
|
|
}
|
|
|
|
return $this->_field_data[$field]['postdata'];
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Set Select
|
|
*
|
|
* Enables pull-down lists to be set to the value the user
|
|
* selected in the event of an error
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param string
|
|
* @return string
|
|
*/
|
|
public function set_select($field = '', $value = '', $default = FALSE)
|
|
{
|
|
if ( ! isset($this->_field_data[$field]) OR ! isset($this->_field_data[$field]['postdata']))
|
|
{
|
|
if ($default === TRUE AND count($this->_field_data) === 0)
|
|
{
|
|
return ' selected="selected"';
|
|
}
|
|
return '';
|
|
}
|
|
|
|
$field = $this->_field_data[$field]['postdata'];
|
|
|
|
if (is_array($field))
|
|
{
|
|
if ( ! in_array($value, $field))
|
|
{
|
|
return '';
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (($field == '' OR $value == '') OR ($field != $value))
|
|
{
|
|
return '';
|
|
}
|
|
}
|
|
|
|
return ' selected="selected"';
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Set Radio
|
|
*
|
|
* Enables radio buttons to be set to the value the user
|
|
* selected in the event of an error
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param string
|
|
* @return string
|
|
*/
|
|
public function set_radio($field = '', $value = '', $default = FALSE)
|
|
{
|
|
if ( ! isset($this->_field_data[$field]) OR ! isset($this->_field_data[$field]['postdata']))
|
|
{
|
|
if ($default === TRUE AND count($this->_field_data) === 0)
|
|
{
|
|
return ' checked="checked"';
|
|
}
|
|
return '';
|
|
}
|
|
|
|
$field = $this->_field_data[$field]['postdata'];
|
|
|
|
if (is_array($field))
|
|
{
|
|
if ( ! in_array($value, $field))
|
|
{
|
|
return '';
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (($field == '' OR $value == '') OR ($field != $value))
|
|
{
|
|
return '';
|
|
}
|
|
}
|
|
|
|
return ' checked="checked"';
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Set Checkbox
|
|
*
|
|
* Enables checkboxes to be set to the value the user
|
|
* selected in the event of an error
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param string
|
|
* @return string
|
|
*/
|
|
public function set_checkbox($field = '', $value = '', $default = FALSE)
|
|
{
|
|
if ( ! isset($this->_field_data[$field]) OR ! isset($this->_field_data[$field]['postdata']))
|
|
{
|
|
if ($default === TRUE AND count($this->_field_data) === 0)
|
|
{
|
|
return ' checked="checked"';
|
|
}
|
|
return '';
|
|
}
|
|
|
|
$field = $this->_field_data[$field]['postdata'];
|
|
|
|
if (is_array($field))
|
|
{
|
|
if ( ! in_array($value, $field))
|
|
{
|
|
return '';
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (($field == '' OR $value == '') OR ($field != $value))
|
|
{
|
|
return '';
|
|
}
|
|
}
|
|
|
|
return ' checked="checked"';
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Required
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function required($str)
|
|
{
|
|
if ( ! is_array($str))
|
|
{
|
|
return (trim($str) == '') ? FALSE : TRUE;
|
|
}
|
|
else
|
|
{
|
|
return ( ! empty($str));
|
|
}
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Performs a Regular Expression match test.
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param regex
|
|
* @return bool
|
|
*/
|
|
public function regex_match($str, $regex)
|
|
{
|
|
if ( ! preg_match($regex, $str))
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Match one field to another
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param field
|
|
* @return bool
|
|
*/
|
|
public function matches($str, $field)
|
|
{
|
|
if ( ! isset($_POST[$field]))
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
$field = $_POST[$field];
|
|
|
|
return ($str !== $field) ? FALSE : TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Match one field to another
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param field
|
|
* @return bool
|
|
*/
|
|
public function is_unique($str, $field)
|
|
{
|
|
list($table, $field)=explode('.', $field);
|
|
$query = $this->controller->db->limit(1)->get_where($table, array($field => $str));
|
|
|
|
return $query->num_rows() === 0;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Minimum Length
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param value
|
|
* @return bool
|
|
*/
|
|
public function min_length($str, $val)
|
|
{
|
|
if (preg_match("/[^0-9]/", $val))
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
if (function_exists('mb_strlen'))
|
|
{
|
|
return (mb_strlen($str) < $val) ? FALSE : TRUE;
|
|
}
|
|
|
|
return (strlen($str) < $val) ? FALSE : TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Max Length
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param value
|
|
* @return bool
|
|
*/
|
|
public function max_length($str, $val)
|
|
{
|
|
if (preg_match("/[^0-9]/", $val))
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
if (function_exists('mb_strlen'))
|
|
{
|
|
return (mb_strlen($str) > $val) ? FALSE : TRUE;
|
|
}
|
|
|
|
return (strlen($str) > $val) ? FALSE : TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Exact Length
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param value
|
|
* @return bool
|
|
*/
|
|
public function exact_length($str, $val)
|
|
{
|
|
if (preg_match("/[^0-9]/", $val))
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
if (function_exists('mb_strlen'))
|
|
{
|
|
return (mb_strlen($str) != $val) ? FALSE : TRUE;
|
|
}
|
|
|
|
return (strlen($str) != $val) ? FALSE : TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Valid Email
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function valid_email($str)
|
|
{
|
|
return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $str)) ? FALSE : TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Valid Emails
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function valid_emails($str)
|
|
{
|
|
if (strpos($str, ',') === FALSE)
|
|
{
|
|
return $this->valid_email(trim($str));
|
|
}
|
|
|
|
foreach (explode(',', $str) as $email)
|
|
{
|
|
if (trim($email) != '' && $this->valid_email(trim($email)) === FALSE)
|
|
{
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Validate IP Address
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @param string "ipv4" or "ipv6" to validate a specific ip format
|
|
* @return string
|
|
*/
|
|
public function valid_ip($ip, $which = '')
|
|
{
|
|
$ip_segments = explode('.', $ip);
|
|
|
|
// Always 4 segments needed
|
|
if (count($ip_segments) !== 4)
|
|
{
|
|
return FALSE;
|
|
}
|
|
// IP can not start with 0
|
|
if ($ip_segments[0][0] == '0')
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
// Check each segment
|
|
foreach ($ip_segments as $segment)
|
|
{
|
|
// IP segments must be digits and can not be
|
|
// longer than 3 digits or greater then 255
|
|
if ($segment == '' OR preg_match("/[^0-9]/", $segment) OR $segment > 255 OR strlen($segment) > 3)
|
|
{
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Alpha
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function alpha($str)
|
|
{
|
|
return ( ! preg_match("/^([a-z])+$/i", $str)) ? FALSE : TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Alpha-numeric
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function alpha_numeric($str)
|
|
{
|
|
return ( ! preg_match("/^([a-z0-9])+$/i", $str)) ? FALSE : TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Alpha-numeric with underscores and dashes
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function alpha_dash($str)
|
|
{
|
|
return ( ! preg_match("/^([-a-z0-9_-])+$/i", $str)) ? FALSE : TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Numeric
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function numeric($str)
|
|
{
|
|
return (bool)preg_match( '/^[\-+]?[0-9]*\.?[0-9]+$/', $str);
|
|
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Is Numeric
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function is_numeric($str)
|
|
{
|
|
return ( ! is_numeric($str)) ? FALSE : TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Integer
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function integer($str)
|
|
{
|
|
return (bool) preg_match('/^[\-+]?[0-9]+$/', $str);
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Decimal number
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function decimal($str)
|
|
{
|
|
return (bool) preg_match('/^[\-+]?[0-9]+\.[0-9]+$/', $str);
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Greather than
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function greater_than($str, $min)
|
|
{
|
|
if ( ! is_numeric($str))
|
|
{
|
|
return FALSE;
|
|
}
|
|
return $str > $min;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Less than
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function less_than($str, $max)
|
|
{
|
|
if ( ! is_numeric($str))
|
|
{
|
|
return FALSE;
|
|
}
|
|
return $str < $max;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Is a Natural number (0,1,2,3, etc.)
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function is_natural($str)
|
|
{
|
|
return (bool) preg_match( '/^[0-9]+$/', $str);
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Is a Natural number, but not a zero (1,2,3, etc.)
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function is_natural_no_zero($str)
|
|
{
|
|
if ( ! preg_match( '/^[0-9]+$/', $str))
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
if ($str == 0)
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Valid Base64
|
|
*
|
|
* Tests a string for characters outside of the Base64 alphabet
|
|
* as defined by RFC 2045 http://www.faqs.org/rfcs/rfc2045
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return bool
|
|
*/
|
|
public function valid_base64($str)
|
|
{
|
|
return (bool) ! preg_match('/[^a-zA-Z0-9\/\+=]/', $str);
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Prep data for form
|
|
*
|
|
* This function allows HTML to be safely shown in a form.
|
|
* Special characters are converted.
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return string
|
|
*/
|
|
public function prep_for_form($data = '')
|
|
{
|
|
if (is_array($data))
|
|
{
|
|
foreach ($data as $key => $val)
|
|
{
|
|
$data[$key] = $this->prep_for_form($val);
|
|
}
|
|
|
|
return $data;
|
|
}
|
|
|
|
if ($this->_safe_form_data == FALSE OR $data === '')
|
|
{
|
|
return $data;
|
|
}
|
|
|
|
return str_replace(array("'", '"', '<', '>'), array("'", """, '<', '>'), stripslashes($data));
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Prep URL
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return string
|
|
*/
|
|
public function prep_url($str = '')
|
|
{
|
|
if ($str == 'http://' OR $str == '')
|
|
{
|
|
return '';
|
|
}
|
|
|
|
if (substr($str, 0, 7) != 'http://' && substr($str, 0, 8) != 'https://')
|
|
{
|
|
$str = 'http://'.$str;
|
|
}
|
|
|
|
return $str;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* XSS Clean
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return string
|
|
*/
|
|
|
|
/**
|
|
* XSS Clean
|
|
*
|
|
* Sanitizes data so that Cross Site Scripting Hacks can be
|
|
* prevented. This function does a fair amount of work but
|
|
* it is extremely thorough, designed to prevent even the
|
|
* most obscure XSS attempts. Nothing is ever 100% foolproof,
|
|
* of course, but I haven't been able to get anything passed
|
|
* the filter.
|
|
*
|
|
* Note: This function should only be used to deal with data
|
|
* upon submission. It's not something that should
|
|
* be used for general runtime processing.
|
|
*
|
|
* This function was based in part on some code and ideas I
|
|
* got from Bitflux: http://channel.bitflux.ch/wiki/XSS_Prevention
|
|
*
|
|
* To help develop this script I used this great list of
|
|
* vulnerabilities along with a few other hacks I've
|
|
* harvested from examining vulnerabilities in other programs:
|
|
* http://ha.ckers.org/xss.html
|
|
*
|
|
* @param mixed string or array
|
|
* @param bool
|
|
* @return string
|
|
*/
|
|
public function xss_clean($str, $is_image = FALSE)
|
|
{
|
|
/*
|
|
* Is the string an array?
|
|
*
|
|
*/
|
|
if (is_array($str))
|
|
{
|
|
while (list($key) = each($str))
|
|
{
|
|
$str[$key] = $this->xss_clean($str[$key]);
|
|
}
|
|
|
|
return $str;
|
|
}
|
|
|
|
/*
|
|
* Remove Invisible Characters
|
|
*/
|
|
$str = remove_invisible_characters($str);
|
|
|
|
// Validate Entities in URLs
|
|
$str = $this->_validate_entities($str);
|
|
|
|
/*
|
|
* URL Decode
|
|
*
|
|
* Just in case stuff like this is submitted:
|
|
*
|
|
* <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
|
|
*
|
|
* Note: Use rawurldecode() so it does not remove plus signs
|
|
*
|
|
*/
|
|
$str = rawurldecode($str);
|
|
|
|
/*
|
|
* Convert character entities to ASCII
|
|
*
|
|
* This permits our tests below to work reliably.
|
|
* We only convert entities that are within tags since
|
|
* these are the ones that will pose security problems.
|
|
*
|
|
*/
|
|
|
|
$str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
|
|
|
|
$str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_decode_entity'), $str);
|
|
|
|
/*
|
|
* Remove Invisible Characters Again!
|
|
*/
|
|
$str = remove_invisible_characters($str);
|
|
|
|
/*
|
|
* Convert all tabs to spaces
|
|
*
|
|
* This prevents strings like this: ja vascript
|
|
* NOTE: we deal with spaces between characters later.
|
|
* NOTE: preg_replace was found to be amazingly slow here on
|
|
* large blocks of data, so we use str_replace.
|
|
*/
|
|
|
|
if (strpos($str, "\t") !== FALSE)
|
|
{
|
|
$str = str_replace("\t", ' ', $str);
|
|
}
|
|
|
|
/*
|
|
* Capture converted string for later comparison
|
|
*/
|
|
$converted_string = $str;
|
|
|
|
// Remove Strings that are never allowed
|
|
$str = $this->_do_never_allowed($str);
|
|
|
|
/*
|
|
* Makes PHP tags safe
|
|
*
|
|
* Note: XML tags are inadvertently replaced too:
|
|
*
|
|
* <?xml
|
|
*
|
|
* But it doesn't seem to pose a problem.
|
|
*/
|
|
if ($is_image === TRUE)
|
|
{
|
|
// Images have a tendency to have the PHP short opening and
|
|
// closing tags every so often so we skip those and only
|
|
// do the long opening tags.
|
|
$str = preg_replace('/<\?(php)/i', "<?\\1", $str);
|
|
}
|
|
else
|
|
{
|
|
$str = str_replace(array('<?', '?'.'>'), array('<?', '?>'), $str);
|
|
}
|
|
|
|
/*
|
|
* Compact any exploded words
|
|
*
|
|
* This corrects words like: j a v a s c r i p t
|
|
* These words are compacted back to their correct state.
|
|
*/
|
|
$words = array(
|
|
'javascript', 'expression', 'vbscript', 'script', 'base64',
|
|
'applet', 'alert', 'document', 'write', 'cookie', 'window'
|
|
);
|
|
|
|
foreach ($words as $word)
|
|
{
|
|
$temp = '';
|
|
|
|
for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++)
|
|
{
|
|
$temp .= substr($word, $i, 1)."\s*";
|
|
}
|
|
|
|
// We only want to do this when it is followed by a non-word character
|
|
// That way valid stuff like "dealer to" does not become "dealerto"
|
|
$str = preg_replace_callback('#('.substr($temp, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str);
|
|
}
|
|
|
|
/*
|
|
* Remove disallowed Javascript in links or img tags
|
|
* We used to do some version comparisons and use of stripos for PHP5,
|
|
* but it is dog slow compared to these simplified non-capturing
|
|
* preg_match(), especially if the pattern exists in the string
|
|
*/
|
|
do
|
|
{
|
|
$original = $str;
|
|
|
|
if (preg_match("/<a/i", $str))
|
|
{
|
|
$str = preg_replace_callback("#<a\s+([^>]*?)(>|$)#si", array($this, '_js_link_removal'), $str);
|
|
}
|
|
|
|
if (preg_match("/<img/i", $str))
|
|
{
|
|
$str = preg_replace_callback("#<img\s+([^>]*?)(\s?/?>|$)#si", array($this, '_js_img_removal'), $str);
|
|
}
|
|
|
|
if (preg_match("/script/i", $str) OR preg_match("/xss/i", $str))
|
|
{
|
|
$str = preg_replace("#<(/*)(script|xss)(.*?)\>#si", '[removed]', $str);
|
|
}
|
|
}
|
|
while($original != $str);
|
|
|
|
unset($original);
|
|
|
|
// Remove evil attributes such as style, onclick and xmlns
|
|
$str = $this->_remove_evil_attributes($str, $is_image);
|
|
|
|
/*
|
|
* Sanitize naughty HTML elements
|
|
*
|
|
* If a tag containing any of the words in the list
|
|
* below is found, the tag gets converted to entities.
|
|
*
|
|
* So this: <blink>
|
|
* Becomes: <blink>
|
|
*/
|
|
$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
|
|
$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
|
|
|
|
/*
|
|
* Sanitize naughty scripting elements
|
|
*
|
|
* Similar to above, only instead of looking for
|
|
* tags it looks for PHP and JavaScript commands
|
|
* that are disallowed. Rather than removing the
|
|
* code, it simply converts the parenthesis to entities
|
|
* rendering the code un-executable.
|
|
*
|
|
* For example: eval('some code')
|
|
* Becomes: eval('some code')
|
|
*/
|
|
$str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2(\\3)", $str);
|
|
|
|
|
|
// Final clean up
|
|
// This adds a bit of extra precaution in case
|
|
// something got through the above filters
|
|
$str = $this->_do_never_allowed($str);
|
|
|
|
/*
|
|
* Images are Handled in a Special Way
|
|
* - Essentially, we want to know that after all of the character
|
|
* conversion is done whether any unwanted, likely XSS, code was found.
|
|
* If not, we return TRUE, as the image is clean.
|
|
* However, if the string post-conversion does not matched the
|
|
* string post-removal of XSS, then it fails, as there was unwanted XSS
|
|
* code found and removed/changed during processing.
|
|
*/
|
|
|
|
if ($is_image === TRUE)
|
|
{
|
|
return ($str == $converted_string) ? TRUE: FALSE;
|
|
}
|
|
|
|
log_message('debug', "XSS Filtering completed");
|
|
return $str;
|
|
}
|
|
|
|
// --------------------------------------------------------------------
|
|
|
|
/**
|
|
* Convert PHP tags to entities
|
|
*
|
|
* @access public
|
|
* @param string
|
|
* @return string
|
|
*/
|
|
public function encode_php_tags($str)
|
|
{
|
|
return str_replace(array('<?php', '<?PHP', '<?', '?>'), array('<?php', '<?PHP', '<?', '?>'), $str);
|
|
}
|
|
|
|
private function _convert_attribute($match)
|
|
{
|
|
return str_replace(array('>', '<', '\\'), array('>', '<', '\\\\'), $match[0]);
|
|
}
|
|
|
|
public function entity_decode($str, $charset='UTF-8')
|
|
{
|
|
if (stristr($str, '&') === FALSE)
|
|
{
|
|
return $str;
|
|
}
|
|
|
|
$str = html_entity_decode($str, ENT_COMPAT, $charset);
|
|
$str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
|
|
return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
|
|
}
|
|
|
|
private function _decode_entity($match)
|
|
{
|
|
return $this->entity_decode($match[0]);
|
|
}
|
|
private function _do_never_allowed($str)
|
|
{
|
|
$_never_allowed_str = array(
|
|
'document.cookie' => '[removed]',
|
|
'document.write' => '[removed]',
|
|
'.parentNode' => '[removed]',
|
|
'.innerHTML' => '[removed]',
|
|
'window.location' => '[removed]',
|
|
'-moz-binding' => '[removed]',
|
|
'<!--' => '<!--',
|
|
'-->' => '-->',
|
|
'<![CDATA[' => '<![CDATA[',
|
|
'<comment>' => '<comment>'
|
|
);
|
|
|
|
$_never_allowed_regex = array(
|
|
'javascript\s*:',
|
|
'expression\s*(\(|&\#40;)', // CSS and IE
|
|
'vbscript\s*:', // IE, surprise!
|
|
'Redirect\s+302',
|
|
"([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"
|
|
);
|
|
$str = str_replace(array_keys($_never_allowed_str), $_never_allowed_str, $str);
|
|
|
|
foreach ($_never_allowed_regex as $regex)
|
|
{
|
|
$str = preg_replace('#'.$regex.'#is', '[removed]', $str);
|
|
}
|
|
|
|
return $str;
|
|
}
|
|
|
|
private function _remove_evil_attributes($str, $is_image)
|
|
{
|
|
// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
|
|
$evil_attributes = array('style', 'xmlns', 'formaction');
|
|
|
|
if ($is_image === TRUE)
|
|
{
|
|
/*
|
|
* Adobe Photoshop puts XML metadata into JFIF images,
|
|
* including namespacing, so we have to allow this for images.
|
|
*/
|
|
unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
|
|
}
|
|
|
|
do {
|
|
$count = 0;
|
|
$attribs = array();
|
|
|
|
// find occurrences of illegal attribute strings without quotes
|
|
preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
|
|
|
|
foreach ($matches as $attr)
|
|
{
|
|
|
|
$attribs[] = preg_quote($attr[0], '/');
|
|
}
|
|
|
|
// find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
|
|
preg_match_all("/(".implode('|', $evil_attributes).")\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is", $str, $matches, PREG_SET_ORDER);
|
|
|
|
foreach ($matches as $attr)
|
|
{
|
|
$attribs[] = preg_quote($attr[0], '/');
|
|
}
|
|
|
|
// replace illegal attribute strings that are inside an html tag
|
|
if (count($attribs) > 0)
|
|
{
|
|
$str = preg_replace("/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)(".implode('|', $attribs).")(.*?)([\s><])([><]*)/i", '<$1 $3$5$6$7', $str, -1, $count);
|
|
}
|
|
|
|
} while ($count);
|
|
|
|
return $str;
|
|
}
|
|
}
|
|
// END Form Validation Class
|