Quick search:

PntHttpRequest
PntRequestHandler
PntSite
PntStringConverter
__construct
getCookie
getCpPattern
getFunkyRequestData
getRequestData
getRequestParam
getServerValue
initHttpData
logValidationWarning
noMagicQuotesGpc
pregValidate
sanitizeGpc
sanitizePhpAuth
sanitizeServerValue
validateCookieName
validateForNullChar
validateGpc
validateGpcValue
validateMinMaxValue
validateParamName
validatePhpAuth
validateServerValue
validateServerVarName
validateServerVars
validateSessionId

<?php
// Copyright (c) MetaClass, 2012
 
Gen::includeClass('PntValidationException', 'pnt/secu');

/** Http request validator. Logs validation warnings for bad input. Returns only valid input.
 * Unlike ValueValidator, who expects the characters to be encoded in ValueValidator::getInternalCharset,
 * this validator expects characters to be encoded as in the http request. 
 * StringConverter may convert from the request encoding to the internal encoding 
 * 		(but by default it does no conversion of character encoding)
 * In this default implementation:
 * - keys are validated to hold only alphanumeric character, dasches and underscores 
 * - Http header values are validated to hold visible ASCII characters. Some are validated to a
 * specific character whitelist or preg pattern  
 * - PHP_AUTH_USER and 'PHP_AUTH_PW characters are expected to be valid (like with ISO-8859-1) #
 * - requestData and cookies: all characters are expected to be valid (like with ISO-8859-1) #
 * - other server variable are not validated. They are expected to come from http server settings
 *   or other reliable sources.
 * # To be overridden on subclass HttpValidator to validate/sanitize input using other character set(s) 
 * like UTF-8, as this implementarion will NOT adapt automatically to a change in StringConverter::getLabelCharset  
 * May be overridden to do (more) sanitization.
 * 
 * Unlike the OWASP ESAPI SafeRequest class this class does not do canonalization and 
 * does not explcitly use mbstrings functions. Its behavior with multi byte strings has not been tested 
 * and may be different depending on ini settings for mbstring.func_overload and mbstring.encoding_translation
 * 
 * This class does not delegate to ValueValidator because ValueValidator must work with the
 * character set it defines in ::getInternalCharset and return user error messages, 
 * while most of the validations here are specific to ASCII and the error messages are for logging
 * to be evaluated later by the application administrator.
* @package pnt/web
*/
class PntHttpRequest {

	public $serverVarValidationFatal; //value set overrides constructor parameter
	public $gpcValidationFatal;  //value set overrides constructor parameter
	public $pcre_backtrack_limit = 100000; //default limit
	
	//language dependent strings, may be overridden on HttpValidator
	public $tooShort = 'too short';
	public $tooLong = 'too long';
	public $tooLow = 'too low';
	public $tooHigh = 'too high';
	public $invalid = 'invalid';
	public $serverVarValidationFailed = 'Server variable validation failed for';
	public $gpcValidationFailed = 'Gpc validation failed for';
	
	/** result of ::validateServerVars kept as a context for ::validateGpc */
	public $serverVars; 
	public $cookies;
	public $get;
	public $post;
	
	/************************************************************************************
	 * preg and char patterns @copyright 2007-2010 The OWASP Foundation as part of the 
	 * OWASP Enterprise Security API (ESAPI) (SafeRequest class)
	 * @author    jah <jah@jahboite.co.uk>
	 * @license   http://www.opensource.org/licenses/bsd-license.php New BSD license
	 * @version   SVN: espi4php-1.0a
	 * @link      http://www.owasp.org/index.php/ESAPI
	 * LICENSE: These patterns are subject to the New BSD license.  You should read
	 * and accept the LICENSE before you use, modify, and/or redistribute this software.
	*/
	//pattern delimiters and D added by MetaClass
    public $serverPatterns = array(
			'REQUEST_METHOD' => '~^(GET|HEAD|POST|TRACE|OPTIONS|PUT|DELETE)$~D' //PUT|DELETE added by MetaClass for restful web services
	    ,	'AUTH_TYPE' => '~^([dD][iI][gG][eE][sS][tT]|[bB][aA][sS][iI][cC])$~D'
	    ,	'REMOTE_HOST' => '~^((?:(?:[0-9a-zA-Z][0-9a-zA-Z\-]{0,61}[0-9a-zA-Z])\.)*[a-zA-Z]{2,4}|[0-9a-zA-Z][0-9a-zA-Z\-]{0,61}[0-9a-zA-Z])$~D'
		);
	//REMOTE_ADDR, SERVER_ADDR
	public $ipV4Pattern = '~^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$~D';
	//generic preg character class pieces, backslashes for escaping added by MetaClass 
	public $httpCookieNamePat = '_';
	public $headerNameCp  = '\\-_'; //actually $_SERVER has no names with -
	public $headerValueCp = '!"#$%&\'()*+,\\-./\\\\;:<=>?@[\\]\\^_`{|}\\~ '; //"\t" added in constructor //basically all visible ASCII characters and tab
	//generic preg character class pieces, backslashes for escaping added by MetaClass 
	public $serverCps = array(
    		'QUERY_STRING' => ' &()*+,\\-./;:=?_%!' 
				//% added by metaclass so that url encoded octets can get through
				//! added by metaclass because js encodeURIComponent does not encode it
//    	,	'HTTP_HOST'     => '\\-._' //strange, there is a specific pattern too, to look up in saferequest
    	,	'REMOTE_USER'  => '!#$%&\'*+\\-.\\^_`|\\~'
    	,	'SCRIPT_NAME' => '!$%&\'()*+\\-,./:=@_\\~' //and REQUEST_URI with '?' added
    	);
    public $filePathCp = ' !#$%&\'()+,-./=@[\\]\\^_`{}\\~\\\\'; //PATH_TRANSLATED
	
    //modified by MetaClass to require eventual sign to be at the start
	public $integerPattern = '/^(\\+|\\-)?[0-9]+$/'; //CONTENT_LENGTH
	
	public $minLengths = array(
			'REQUEST_METHOD' => 3
		,	'SCRIPT_NAME' => 1
		);
	public $maxLengths = array(
			'AUTH_TYPE' => 6
		,	'CONTENT_TYPE' => 4096
		,	'PATH_INFO' => 4096
		,	'PATH_TRANSLATED' => 4096
		,	'QUERY_STRING' => 4096
		,	'REMOTE_HOST' => 255
		,	'REMOTE_USER' => 255
		,	'REQUEST_METHOD' => 7
		,	'SERVER_NAME' => 255
		,	'REMOTE_ADDR' => 15
		,	'SERVER_ADDR' => 15
		,	'SERVER_PROTOCOL' => 8
		);
	public $maxValues = array(
			'CONTENT_LENGTH' => 2147483647 //PHP_INT_MAX on 32 bits
		,	'SERVER_PORT' => 65535
	);
	
	/***************************************************************************
	* the rest of this file is copyright (c) MetaClass, 2012  */ 
	
	public $sessionIdCp = ',\-'; //to be overridden if non-standard session ids are used
Copyright (c) MetaClass, 2003-2013

This code is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This code is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

Click here for a copy of the license or see http://www.gnu.org/licenses/ .