[ Index ]

PHP Cross Reference of phpBB-3.2.8-deutsch

title

Body

[close]

/phpbb/request/ -> request.php (source)

   1  <?php
   2  /**
   3  *
   4  * This file is part of the phpBB Forum Software package.
   5  *
   6  * @copyright (c) phpBB Limited <https://www.phpbb.com>
   7  * @license GNU General Public License, version 2 (GPL-2.0)
   8  *
   9  * For full copyright and license information, please see
  10  * the docs/CREDITS.txt file.
  11  *
  12  */
  13  
  14  namespace phpbb\request;
  15  
  16  /**
  17  * All application input is accessed through this class.
  18  *
  19  * It provides a method to disable access to input data through super globals.
  20  * This should force MOD authors to read about data validation.
  21  */
  22  class request implements \phpbb\request\request_interface
  23  {
  24      /**
  25      * @var    array    The names of super global variables that this class should protect if super globals are disabled.
  26      */
  27      protected $super_globals = array(
  28          \phpbb\request\request_interface::POST => '_POST',
  29          \phpbb\request\request_interface::GET => '_GET',
  30          \phpbb\request\request_interface::REQUEST => '_REQUEST',
  31          \phpbb\request\request_interface::COOKIE => '_COOKIE',
  32          \phpbb\request\request_interface::SERVER => '_SERVER',
  33          \phpbb\request\request_interface::FILES => '_FILES',
  34      );
  35  
  36      /**
  37      * @var    array    Stores original contents of $_REQUEST array.
  38      */
  39      protected $original_request = null;
  40  
  41      /**
  42      * @var
  43      */
  44      protected $super_globals_disabled = false;
  45  
  46      /**
  47      * @var    array    An associative array that has the value of super global constants as keys and holds their data as values.
  48      */
  49      protected $input;
  50  
  51      /**
  52      * @var    \phpbb\request\type_cast_helper_interface    An instance of a type cast helper providing convenience methods for type conversions.
  53      */
  54      protected $type_cast_helper;
  55  
  56      /**
  57      * Initialises the request class, that means it stores all input data in {@link $input input}
  58      * and then calls {@link \phpbb\request\deactivated_super_global \phpbb\request\deactivated_super_global}
  59      */
  60  	public function __construct(\phpbb\request\type_cast_helper_interface $type_cast_helper = null, $disable_super_globals = true)
  61      {
  62          if ($type_cast_helper)
  63          {
  64              $this->type_cast_helper = $type_cast_helper;
  65          }
  66          else
  67          {
  68              $this->type_cast_helper = new \phpbb\request\type_cast_helper();
  69          }
  70  
  71          foreach ($this->super_globals as $const => $super_global)
  72          {
  73              $this->input[$const] = isset($GLOBALS[$super_global]) ? $GLOBALS[$super_global] : array();
  74          }
  75  
  76          // simulate request_order = GP
  77          $this->original_request = $this->input[\phpbb\request\request_interface::REQUEST];
  78          $this->input[\phpbb\request\request_interface::REQUEST] = $this->input[\phpbb\request\request_interface::POST] + $this->input[\phpbb\request\request_interface::GET];
  79  
  80          if ($disable_super_globals)
  81          {
  82              $this->disable_super_globals();
  83          }
  84      }
  85  
  86      /**
  87      * Getter for $super_globals_disabled
  88      *
  89      * @return    bool    Whether super globals are disabled or not.
  90      */
  91  	public function super_globals_disabled()
  92      {
  93          return $this->super_globals_disabled;
  94      }
  95  
  96      /**
  97      * Disables access of super globals specified in $super_globals.
  98      * This is achieved by overwriting the super globals with instances of {@link \phpbb\request\deactivated_super_global \phpbb\request\deactivated_super_global}
  99      */
 100  	public function disable_super_globals()
 101      {
 102          if (!$this->super_globals_disabled)
 103          {
 104              foreach ($this->super_globals as $const => $super_global)
 105              {
 106                  unset($GLOBALS[$super_global]);
 107                  $GLOBALS[$super_global] = new \phpbb\request\deactivated_super_global($this, $super_global, $const);
 108              }
 109  
 110              $this->super_globals_disabled = true;
 111          }
 112      }
 113  
 114      /**
 115      * Enables access of super globals specified in $super_globals if they were disabled by {@link disable_super_globals disable_super_globals}.
 116      * This is achieved by making the super globals point to the data stored within this class in {@link $input input}.
 117      */
 118  	public function enable_super_globals()
 119      {
 120          if ($this->super_globals_disabled)
 121          {
 122              foreach ($this->super_globals as $const => $super_global)
 123              {
 124                  $GLOBALS[$super_global] = $this->input[$const];
 125              }
 126  
 127              $GLOBALS['_REQUEST'] = $this->original_request;
 128  
 129              $this->super_globals_disabled = false;
 130          }
 131      }
 132  
 133      /**
 134      * This function allows overwriting or setting a value in one of the super global arrays.
 135      *
 136      * Changes which are performed on the super globals directly will not have any effect on the results of
 137      * other methods this class provides. Using this function should be avoided if possible! It will
 138      * consume twice the the amount of memory of the value
 139      *
 140      * @param    string    $var_name    The name of the variable that shall be overwritten
 141      * @param    mixed    $value        The value which the variable shall contain.
 142      *                                 If this is null the variable will be unset.
 143      * @param    \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE    $super_global
 144      *                                 Specifies which super global shall be changed
 145      */
 146  	public function overwrite($var_name, $value, $super_global = \phpbb\request\request_interface::REQUEST)
 147      {
 148          if (!isset($this->super_globals[$super_global]))
 149          {
 150              return;
 151          }
 152  
 153          // setting to null means unsetting
 154          if ($value === null)
 155          {
 156              unset($this->input[$super_global][$var_name]);
 157              if (!$this->super_globals_disabled())
 158              {
 159                  unset($GLOBALS[$this->super_globals[$super_global]][$var_name]);
 160              }
 161          }
 162          else
 163          {
 164              $this->input[$super_global][$var_name] = $value;
 165              if (!$this->super_globals_disabled())
 166              {
 167                  $GLOBALS[$this->super_globals[$super_global]][$var_name] = $value;
 168              }
 169          }
 170      }
 171  
 172      /**
 173      * Central type safe input handling function.
 174      * All variables in GET or POST requests should be retrieved through this function to maximise security.
 175      *
 176      * @param    string|array    $var_name    The form variable's name from which data shall be retrieved.
 177      *                                         If the value is an array this may be an array of indizes which will give
 178      *                                         direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a")
 179      *                                         then specifying array("var", 1) as the name will return "a".
 180      * @param    mixed            $default    A default value that is returned if the variable was not set.
 181      *                                         This function will always return a value of the same type as the default.
 182      * @param    bool            $multibyte    If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters
 183      *                                        Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
 184      * @param    \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE    $super_global
 185      *                                         Specifies which super global should be used
 186      *
 187      * @return    mixed    The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the
 188      *                    the same as that of $default. If the variable is not set $default is returned.
 189      */
 190  	public function variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST)
 191      {
 192          return $this->_variable($var_name, $default, $multibyte, $super_global, true);
 193      }
 194  
 195      /**
 196      * Get a variable, but without trimming strings.
 197      * Same functionality as variable(), except does not run trim() on strings.
 198      * This method should be used when handling passwords.
 199      *
 200      * @param    string|array    $var_name    The form variable's name from which data shall be retrieved.
 201      *                                         If the value is an array this may be an array of indizes which will give
 202      *                                         direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a")
 203      *                                         then specifying array("var", 1) as the name will return "a".
 204      * @param    mixed            $default    A default value that is returned if the variable was not set.
 205      *                                         This function will always return a value of the same type as the default.
 206      * @param    bool            $multibyte    If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters
 207      *                                        Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
 208      * @param    \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE    $super_global
 209      *                                         Specifies which super global should be used
 210      *
 211      * @return    mixed    The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the
 212      *                    the same as that of $default. If the variable is not set $default is returned.
 213      */
 214  	public function untrimmed_variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST)
 215      {
 216          return $this->_variable($var_name, $default, $multibyte, $super_global, false);
 217      }
 218  
 219      /**
 220       * {@inheritdoc}
 221       */
 222  	public function raw_variable($var_name, $default, $super_global = \phpbb\request\request_interface::REQUEST)
 223      {
 224          $path = false;
 225  
 226          // deep direct access to multi dimensional arrays
 227          if (is_array($var_name))
 228          {
 229              $path = $var_name;
 230              // make sure at least the variable name is specified
 231              if (empty($path))
 232              {
 233                  return (is_array($default)) ? array() : $default;
 234              }
 235              // the variable name is the first element on the path
 236              $var_name = array_shift($path);
 237          }
 238  
 239          if (!isset($this->input[$super_global][$var_name]))
 240          {
 241              return (is_array($default)) ? array() : $default;
 242          }
 243          $var = $this->input[$super_global][$var_name];
 244  
 245          if ($path)
 246          {
 247              // walk through the array structure and find the element we are looking for
 248              foreach ($path as $key)
 249              {
 250                  if (is_array($var) && isset($var[$key]))
 251                  {
 252                      $var = $var[$key];
 253                  }
 254                  else
 255                  {
 256                      return (is_array($default)) ? array() : $default;
 257                  }
 258              }
 259          }
 260  
 261          return $var;
 262      }
 263  
 264      /**
 265      * Shortcut method to retrieve SERVER variables.
 266      *
 267      * Also fall back to getenv(), some CGI setups may need it (probably not, but
 268      * whatever).
 269      *
 270      * @param    string|array    $var_name        See \phpbb\request\request_interface::variable
 271      * @param    mixed            $Default        See \phpbb\request\request_interface::variable
 272      *
 273      * @return    mixed    The server variable value.
 274      */
 275  	public function server($var_name, $default = '')
 276      {
 277          $multibyte = true;
 278  
 279          if ($this->is_set($var_name, \phpbb\request\request_interface::SERVER))
 280          {
 281              return $this->variable($var_name, $default, $multibyte, \phpbb\request\request_interface::SERVER);
 282          }
 283          else
 284          {
 285              $var = getenv($var_name);
 286              $this->type_cast_helper->recursive_set_var($var, $default, $multibyte);
 287              return $var;
 288          }
 289      }
 290  
 291      /**
 292      * Shortcut method to retrieve the value of client HTTP headers.
 293      *
 294      * @param    string|array    $header_name    The name of the header to retrieve.
 295      * @param    mixed            $default        See \phpbb\request\request_interface::variable
 296      *
 297      * @return    mixed    The header value.
 298      */
 299  	public function header($header_name, $default = '')
 300      {
 301          $var_name = 'HTTP_' . str_replace('-', '_', strtoupper($header_name));
 302          return $this->server($var_name, $default);
 303      }
 304  
 305      /**
 306      * Shortcut method to retrieve $_FILES variables
 307      *
 308      * @param string $form_name The name of the file input form element
 309      *
 310      * @return array The uploaded file's information or an empty array if the
 311      * variable does not exist in _FILES.
 312      */
 313  	public function file($form_name)
 314      {
 315          return $this->variable($form_name, array('name' => 'none'), true, \phpbb\request\request_interface::FILES);
 316      }
 317  
 318      /**
 319      * Checks whether a certain variable was sent via POST.
 320      * To make sure that a request was sent using POST you should call this function
 321      * on at least one variable.
 322      *
 323      * @param    string    $name    The name of the form variable which should have a
 324      *                            _p suffix to indicate the check in the code that creates the form too.
 325      *
 326      * @return    bool            True if the variable was set in a POST request, false otherwise.
 327      */
 328  	public function is_set_post($name)
 329      {
 330          return $this->is_set($name, \phpbb\request\request_interface::POST);
 331      }
 332  
 333      /**
 334      * Checks whether a certain variable is set in one of the super global
 335      * arrays.
 336      *
 337      * @param    string    $var    Name of the variable
 338      * @param    \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE    $super_global
 339      *                            Specifies the super global which shall be checked
 340      *
 341      * @return    bool            True if the variable was sent as input
 342      */
 343  	public function is_set($var, $super_global = \phpbb\request\request_interface::REQUEST)
 344      {
 345          return isset($this->input[$super_global][$var]);
 346      }
 347  
 348      /**
 349      * Checks whether the current request is an AJAX request (XMLHttpRequest)
 350      *
 351      * @return    bool            True if the current request is an ajax request
 352      */
 353  	public function is_ajax()
 354      {
 355          return $this->header('X-Requested-With') == 'XMLHttpRequest';
 356      }
 357  
 358      /**
 359      * Checks if the current request is happening over HTTPS.
 360      *
 361      * @return    bool            True if the request is secure.
 362      */
 363  	public function is_secure()
 364      {
 365          $https = $this->server('HTTPS');
 366          $https = $this->server('HTTP_X_FORWARDED_PROTO') === 'https' ? 'on' : $https;
 367          return !empty($https) && $https !== 'off';
 368      }
 369  
 370      /**
 371      * Returns all variable names for a given super global
 372      *
 373      * @param    \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE    $super_global
 374      *                    The super global from which names shall be taken
 375      *
 376      * @return    array    All variable names that are set for the super global.
 377      *                    Pay attention when using these, they are unsanitised!
 378      */
 379  	public function variable_names($super_global = \phpbb\request\request_interface::REQUEST)
 380      {
 381          if (!isset($this->input[$super_global]))
 382          {
 383              return array();
 384          }
 385  
 386          return array_keys($this->input[$super_global]);
 387      }
 388  
 389      /**
 390      * Helper function used by variable() and untrimmed_variable().
 391      *
 392      * @param    string|array    $var_name    The form variable's name from which data shall be retrieved.
 393      *                                         If the value is an array this may be an array of indizes which will give
 394      *                                         direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a")
 395      *                                         then specifying array("var", 1) as the name will return "a".
 396      * @param    mixed            $default    A default value that is returned if the variable was not set.
 397      *                                         This function will always return a value of the same type as the default.
 398      * @param    bool            $multibyte    If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters
 399      *                                        Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
 400      * @param    \phpbb\request\request_interface::POST|GET|REQUEST|COOKIE    $super_global
 401      *                                         Specifies which super global should be used
 402      * @param    bool            $trim        Indicates whether trim() should be applied to string values.
 403      *
 404      * @return    mixed    The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the
 405      *                    the same as that of $default. If the variable is not set $default is returned.
 406      */
 407  	protected function _variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST, $trim = true)
 408      {
 409          $var = $this->raw_variable($var_name, $default, $super_global);
 410  
 411          // Return prematurely if raw variable is empty array or the same as
 412          // the default. Using strict comparison to ensure that one can't
 413          // prevent proper type checking on any input variable
 414          if ($var === array() || $var === $default)
 415          {
 416              return $var;
 417          }
 418  
 419          $this->type_cast_helper->recursive_set_var($var, $default, $multibyte, $trim);
 420  
 421          return $var;
 422      }
 423  
 424      /**
 425      * {@inheritdoc}
 426      */
 427  	public function get_super_global($super_global = \phpbb\request\request_interface::REQUEST)
 428      {
 429          return $this->input[$super_global];
 430      }
 431  
 432      /**
 433       * {@inheritdoc}
 434       */
 435  	public function escape($var, $multibyte)
 436      {
 437          if (is_array($var))
 438          {
 439              $result = array();
 440              foreach ($var as $key => $value)
 441              {
 442                  $this->type_cast_helper->set_var($key, $key, gettype($key), $multibyte);
 443                  $result[$key] = $this->escape($value, $multibyte);
 444              }
 445              $var = $result;
 446          }
 447          else
 448          {
 449              $this->type_cast_helper->set_var($var, $var, 'string', $multibyte);
 450          }
 451  
 452          return $var;
 453      }
 454  }


Generated: Tue Apr 7 19:42:26 2020 Cross-referenced by PHPXref 0.7.1