class CI_Security
-
xss_clean($str[, $is_image = FALSE])
-
Parameters: - $str (mixed) – Input string or an array of strings
Returns: XSS-clean data
Return type: mixed
Tries to remove XSS exploits from the input data and returns the cleaned string. If the optional second parameter is set to true, it will return boolean TRUE if the image is safe to use and FALSE if malicious data was detected in it.
-
sanitize_filename($str[, $relative_path = FALSE])
-
Parameters: - $str (string) – File name/path
- $relative_path (bool) – Whether to preserve any directories in the file path
Returns: Sanitized file name/path
Return type: string
Tries to sanitize filenames in order to prevent directory traversal attempts and other security threats, which is particularly useful for files that were supplied via user input.
$filename = $this->security->sanitize_filename($this->input->post('filename'));
If it is acceptable for the user input to include relative paths, e.g. file/in/some/approved/folder.txt, you can set the second optional parameter,
$relative_path
to TRUE.$filename = $this->security->sanitize_filename($this->input->post('filename'), TRUE);
-
get_csrf_token_name()
-
Returns: CSRF token name Return type: string Returns the CSRF token name (the
$config['csrf_token_name']
value).
-
get_csrf_hash()
-
Returns: CSRF hash Return type: string Returns the CSRF hash value. Useful in combination with
get_csrf_token_name()
for manually building forms or sending valid AJAX POST requests.
-
entity_decode($str[, $charset = NULL])
-
Parameters: - $str (string) – Input string
- $charset (string) – Character set of the input string
Returns: Entity-decoded string
Return type: string
This method acts a lot like PHP’s own native
html_entity_decode()
function in ENT_COMPAT mode, only it tries to detect HTML entities that don’t end in a semicolon because some browsers allow that.If the
$charset
parameter is left empty, then your configured$config['charset']
value will be used.
-
get_random_bytes($length)
-
Parameters: - $length (int) – Output length
Returns: A binary stream of random bytes or FALSE on failure
Return type: string
A convenience method for getting proper random bytes via
mcrypt_create_iv()
,/dev/urandom
oropenssl_random_pseudo_bytes()
(in that order), if one of them is available.Used for generating CSRF and XSS tokens.
Note
The output is NOT guaranteed to be cryptographically secure, just the best attempt at that.
Please login to continue.