php - Securing POST data in Router -


i trying figure out best way of sanitizing , degree validating post data sent app.

i made function resides in router , called in __constructor if($_post) present:

private function validatepost()   {     foreach($_post $key => $value) {       if(preg_match('/[^a-za-z]/', $key))       {         $this->throwerror('post error', 'invalid index name.');         return;       }       if(strlen($value) > $this->postlimit && $this->postlimit != -1)       {         $this->throwerror('post error', 'posted value large.');         return;       }       if(substr($key, -2, 2) == 'id' && !is_numeric($value))       {         $this->throwerror('post error', 'expected number, didn\'t one.');         return;       }       else       {         //$value = urlencode($value);       }       $_post[$key] = $value;     }   }

it little strict on purpose doesn't matter if stick rules have made throughout framework.

i have read limiting size of $_post helps in thwarting attacks, in case put -1 no/default limit (but can set less if needed in config file).

i commented out urlencoding unsure of best way decode when arrives @ intended function. should encode @ , best way decode it? perhaps in master controller classes extend or not?

any other suggestions welcome.

if want limit size of post requests, best option @ level of webserver itself. there tools that. since using apache, mod_security. other webservers have similar options.

when limiting size of post request, 1 of risk amount of memory used execution of page. if data in $_post late.

as validation , sanitation should done either in domain objects, presentation entities or sql ... validate logic of input in domain objects. walidate structure of data in sql constraints. , sanitize output in presentation entities (i don't link call them "presentation models" because adds confusing mvc).

the routing mechanism in mvc (which "front controller aspect of) should take input user , organize in structured request instance. intance used controller's action pass data on model layer.

routing should not validating input.


Comments

Post a Comment

Popular posts from this blog

ios - iPhone/iPad different view orientations in different views , and apple approval process -

i force app's home screen portrait , other views landscape. apple rejects app if this? if not , how force first screen launch in portrait mode? , force other screens launch in landscape. this not duplicate question search every possible answer in website. i force app's home screen portrait , other views landscape. apple rejects app if this? no apple not reject app this. have lot of apps doesn't support orientation. forcing on 1 screen won't cause app reject. if not , how force first screen launch in portrait mode? , force other screens launch in landscape. can on write : -(nsuinteger)supportedinterfaceorientations; function.
Read more

java Extracting Zip file -

i'm looking way extract zip file. far have tried java.util.zip , org.apache.commons.compress, both gave corrupted output. basically, input zip file contain 1 single .doc file. java.util.zip: output corrupted. org.apache.commons.compress: output blank file, 2 mb size. so far commercial software winrar work perfectly. there java library make use of this? this method using java.util library: public void extractzipnative(file filezip) { zipinputstream zis; stringbuilder sb; try { zis = new zipinputstream(new fileinputstream(filezip)); zipentry ze = zis.getnextentry(); byte[] buffer = new byte[(int) ze.getsize()]; fileoutputstream fos = new fileoutputstream(this.tempfolderpath+ze.getname()); int len; while ((len=zis.read(buffer))>0) { fos.write(buffer); } fos.flush(); fos.close(); } catch (filenotfoundexception e) { // todo auto-generated catch block ...
Read more

C# WinForm - loading screen -

i ask how make loading screen (just picture or something) appears while program being loaded, , disappears when program has finished loading. in fancier versions, have seen process bar (%) displayed. how can have that, , how calculate % show on it? i know there form_load() event, not see form_loaded() event, or % property / attribute anywhere. all need create 1 form splash screen , show before main start showing landing page , close splash once landing page loaded. class splashform { //delegate cross thread call close private delegate void closedelegate(); //the type of form displayed splash screen. private static splashform splashform; static public void showsplashscreen() { // make sure launched once. if (splashform != null) return; thread thread = new thread(new threadstart(splashform.showform)); thread.isbackground = true; thread.setapartmentstate(apartmentstate.sta); thread....
Read more