I'm currently working on an MVC Style framework for a company and for security reasons I need to make sure that the controller / method that's passed via the Query String is valid chars to the RFC (which I can't find).
I need to be able to validate / sanitize class names according to what's allowed by the PHP interpreter
For Example:
class SomEFunk__YClAssName extends Controller
{
}
I need some kind of regex that will validate SomEFunk__YClAssName and sanitize it if need be! This is also the same principles as methods.
There is a few things to take into consideration such as
Any information on this or possible expressions would be really helpful.
Here is some of my Router Code so you can see where I need to implement it:
private function prepareQueryString()
{
if(strlen($this->query_string) == 0)
{
return;
}
//Remove [ending|starting|multiple] slashes
$this->query_string = preg_replace('/^\/+|\/+$|\/(?=\/)/', '', $this->query_string);
foreach(explode('/',$this->query_string) as $Key => $Value)
{
if($Key == 0)
{
$Controller = $this->AssignController($Value);
}
if($Key == 1)
{
$this->AssignMethod($Value);
}else
{
$this->AssignParam($Value);
}
}
//Build RouterVar stdClass
}
public function AssignController(String $Controller)
{
if(!empty($Controller))
{
//Sanitize
}
}
public function AssignMethod(String $Method)
{
if(!empty($Method))
{
//Sanitize
}
}
public function AssignParam(String $Param)
{
$this->params[] = $Param;
}
You will see the comment "Sanitize" where the check is needed.
I believe the regex you're looking for short class name, e.g. SomeClass is:
<?php
preg_match(
'/^[a-zA-Z_\x80-\xff][a-zA-Z0-9_\x80-\xff]*$/',
$input
);
According to: http://php.net/manual/en/language.oop5.basic.php
For namespaced class, e.g. App\SomeClass it is:
<?php
preg_match(
'/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*(\\\\[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*)*$/',
$input
);