PHPTools‎ > ‎

WebRequest

When it comes to security, advice usually boils down to these things:
  • Sanitize all inputs to the system
  • Validate all data before use
  • Properly encode all outputs
There are lots of good books on the topics, and this WebRequest class tries to cover several things regarding input to your system.

Security Considerations

  • Globals are bad.  Instead of letting all of the PHP code arbitrarily get information from web requests and let the code change this information so it could act as though the web browser sent some data.
  • POST data is only processed if the request is really a POST.  A GET request can't make POST data, so anything in $_POST will be ignored on GET requests.
  • Uploaded files are checked to make sure the data is an array, that the required keys exist, there was no error during the upload, the size matches, and (if a web request) make sure the file was really uploaded with is_uploaded_file().
  • All incoming data is either strings or arrays composed of strings/arrays.  Things are not converted into objects or numbers until after PHP hands off execution to your scripts.

Conveniences

Part of making a good class is doing work behind the scenes so that you don't need to worry. Here's things that I've added into the class to make life easier. 
  • Automatic unquoting if magic quotes are enabled.
  • Uploaded files have the filename trimmed to remove the path.

Methods

__construct($destroyGlobals = true)

When you create an instance of this class, it will consume the $_GET, $_POST, $_REQUEST, $_FILES and $_COOKIES data and pull them into the object.  By default, it will also replace the data in these globals with empty arrays so that rogue code can't manipulate them.

cookie($name = null, $default = null)

If $name is set, will return the value of the cookie with the matching name.  If there is no cookie, returns $default.  If $name is not set, returns an array of all cookies.

file($name = null)

Returns the information for a given file if $name is set.  If there is no file with that name, this function returns null.  If $name is not set, returns an array of all uploaded files.

get($name = null, $default = null)

If $name is set, will return the value of the GET parameter with the matching name.  If there is no GET parameter, returns $default.  If $name is not set, returns an array of all cookies.

isGet()

Returns true if the request is a GET request.  False is returned otherwise.

isPost()

Returns true if the request is a POST request.  False is returned otherwise.

method()

Returns the request method as a string.  This could be GET, POST, HEAD, PUT or DELETE, depending on what is supported by your web server and how the request was made.

post($name = null, $default = null)

If $name is set, will return the value of the POST parameter with the matching name.  If there is no POST parameter, returns $default.  If $name is not set, returns an array of all cookies.

request($name = null, $default = null)

If $name is set, will return the value of the GET parameter, POST data or cookie value (in that order) with the matching name.  If none of those exist, returns $default.  If $name is not set, returns an array of all GET parameters, POST data and cookie values.  If two or more have the same name, prefer them in the order listed.

Comments