search

panique / mini2

Just an extremely simple naked PHP application, useful for small projects and quick prototypes.
MIT License
417 stars 102 forks source link

Q : More URL parameters #17

Closed ghost closed 9 years ago

ghost commented 10 years ago

First off big thank you for this/the basic version which has helped me no end. I was looking at extending the URL parameters by using an array and modifying the split URL and then just calling it in the construct if it exsists/not empty

My question is it safe to directly call the params $this->home->method($param_1, $param_2,3,4,5) from the one array or is there a reason the url_controller, url_action and params are kept seperate?

This is how I'm validating the url before parsing it to the 'filteredparam' array:

function spliturl ($string){

    $untrusted = ltrim($string);
    $ut2 = rtrim($untrusted,'/');
    $ut3 =  htmlspecialchars($ut2);     
    $ut4 = explode('/', $ut3);

    $filteredparam;
    $this->paramindex = 0;

    foreach ($ut4 as $testcase) {
    if (preg_match('/^[\w-]+$/',$testcase)) {        
        $this->filteredparam[$this->paramindex] = quickvalidate($testcase);    
    }
    $paramindex++;
    }
    return $filteredparam;   
}

function quickvalidate($string){
        $clear = strip_tags($string);
        $clear = html_entity_decode($clear);
        $clear = urldecode($clear);
        $clear = preg_replace('/[^A-Za-z0-9]/', ' ', $clear);
        $clear = preg_replace('/ +/', '', $clear);
        $clear = trim($clear);
        return $clear;  
}
panique commented 10 years ago

Sorry I don't understand the question. Adding more parameters should be easy as you simply have to add a fourth, fifth etc. parameter in https://github.com/panique/php-mvc-advanced/blob/master/application/libs/application.php !

Remember: This project is extremely minimal, no need to make everything automatic. If you really need 10 parameters (bad style btw :) ) then just add params 4-10 in the application.php by hand and it will work perfectly.

panique commented 10 years ago

Ah okay i overread some parts of your questions: What exactly do you mean by "safe" ? In which context ? Showing data to users and putting data into DBs is a huge topic itself, this cannot be answered here in one comment.

ghost commented 10 years ago

Yeah reading into this a little more there are better ways of handing it.

When I say 'safe' as the input has come from a server variable from an unknown source wouldn't it make sense to check is for CSRF, XSS etc before trusting it as a parameter? Not sure how it would be used but... I have infact decided to drop the native php server variables and replace it with symfony http-foundation which will handle any validation for me going foward so I guess it's no longer a problem ¬¬.

panique commented 10 years ago

Ah sorry i just commented in the wrong project :) ...

panique commented 10 years ago

btw MINI (which was php-mvc before) does exactly this now: https://github.com/panique/mini/blob/master/application/core/application.php

panique commented 9 years ago

MINI 2 (new name of this repo) can do this as we now use Slim at the core :)