PHP userland backwards compatibility layer that emulates PHP 5.5+ core functions.

⌈⌋ ⎇ branch:  upgrade.php


Update of "input.php"

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview

Artifact ID: c13645305680238c0c1b5107a6a3d21d498530a5
Page Name:input.php
Date: 2012-01-09 00:37:21
Original User: mario
Parent: fdd17d0d0e8c5180977763d8ed4025d25bea2301 (diff)
Next 504373e2296ee6d2ded6ebd08a58efb249fa5502
Content

input.php


This variant is obsolete. See http://sourceforge.net/p/php7framework/svn/64/tree/trunk/php7/input.php?force=True for version 2.


input.php provides object-oriented security wrappers around:

  • $_POST
  • $_GET
  • $_REQUEST
  • $_SERVER
  • $_COOKIE

It's located in ext/contrib/input.php, and on invokation automatically replaces the plain $_REQUEST arrays with objects.

This **enforces** accessing input and form data through filter functions:

$_REQUEST->name("inputfield")

There are various filter functions provided per default. But ultimately each application should add custom filter functions, whenever specific input strings are to be expected.

To make the transition easier, the input wrappers provide two additional access methods. Becaus reqriting $_REQUEST["var"] to $_REQUEST->int("var") is a lot of typing, it can be reduced to just adding the ->filter call, leaving angle brackets in place:

  • $_REQUEST->name["var"]

Another option is the all-objectish access pattern:

  • $_REQUEST->name->var

Besides the aforementioned standard method call:

  • $_REQUEST->name("var")

== Implementation ==

The internal implementation is rather simple and boils down to:

class input { function __construct($vars) { $this->vars = $vars } function name($var) { return preg_replace("/^\w\d_+/", "", $this->vars$var) } } $_REQUEST = new input($_REQUEST)

So it's very simple to add custom filter functions.

Apart from just filtering, it might be appropriate to add logging functions. If specific input data strings are security related, add a custom function. Should a non-standard string be detected, it can be logged. The advantage of the input wrappers is, that this can be done at once central vector. There is no need to spread input validation unreliably through the application anymore.

== Custom filters ==

Should you have custom filter, please post it here.