I am trying to figure out the best way of sanitizing and to some degree validating POST data that is sent to my app.
I made this function that resides in my Router and is called in the __constructor if($_POST)
is present:
private function validatePost()
{
foreach($_POST as $key => $value) {
if(preg_match('/[^a-zA-Z]/', $key))
{
$this->throwError('POST Error', 'Invalid index name.');
return;
}
if(strlen($value) > $this->postLimit && $this->postLimit != -1)
{
$this->throwError('POST Error', 'Posted value to large.');
return;
}
if(substr($key, -2, 2) == 'id' && !is_numeric($value))
{
$this->throwError('POST Error', 'Expected a number, didn\'t get one.');
return;
}
else
{
//$value = urlencode($value);
}
$_POST[$key] = $value;
}
}
It is a little strict on purpose but that doesn't matter if I stick to the rules I have made throughout my framework.
I have read that limiting the size of $_POST really helps in thwarting some attacks, in this case I put -1 for no/default limit (but it can be set to less if needed in my config file).
I commented out the urlencoding as I am currently unsure of the best way to decode it when it arrives at the intended function. Should I encode it at all and what would be the best way to decode it? Perhaps in the master Controller
that all my classes extend from or not?
Any other suggestions are welcome.