forked from flourishlib/flourish-classes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfRequest.php
978 lines (840 loc) · 32.8 KB
/
fRequest.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
<?php
/**
* Provides request-related methods
*
* This class is implemented to use the UTF-8 character encoding. Please see
* http://flourishlib.com/docs/UTF-8 for more information.
*
* Please also note that using this class in a PUT or DELETE request will
* cause the php://input stream to be consumed, and thus no longer available.
*
* @copyright Copyright (c) 2007-2011 Will Bond, others
* @author Will Bond [wb] <will@flourishlib.com>
* @author Will Bond, iMarc LLC [wb-imarc] <will@imarc.net>
* @author Alex Leeds [al] <alex@kingleeds.com>
* @author Matthew J. Sahagian [mjs] <msahagian@dotink.org>
* @author Jeff Turcotte [jt] <jeff.turcotte@gmail.com>
* @license http://flourishlib.com/license
*
* @package Flourish
* @link http://flourishlib.com/fRequest
*
* @version 1.0.0b22
* @changes 1.0.0b22 Added non-array support to ::filter() [jt, 2013-09-25]
* @changes 1.0.0b21 Fixed problem where Accept headers are spaced out and mime-types won't match (mainly from IE) [mjs, 2012-12-10]
* @changes 1.0.0b20 Added ::isHead(), fixed ability to call ::set() on `HEAD` requests [wb-imarc, 2011-11-23]
* @changes 1.0.0b19 Added the `$use_default_for_blank` parameter to ::get() [wb, 2011-06-03]
* @changes 1.0.0b18 Backwards Compatibility Break - ::getBestAcceptType() and ::getBestAcceptLanguage() now return either `NULL`, `FALSE` or a string instead of `NULL` or a string, both methods are more robust in handling edge cases [wb, 2011-02-06]
* @changes 1.0.0b17 Fixed support for 3+ dimensional input arrays, added a fixed for the PHP DoS float bug #53632, added support for type-casted arrays in ::get() [wb, 2011-01-09]
* @changes 1.0.0b16 Backwards Compatibility Break - changed ::get() to remove binary characters when casting to a `string`, changed `int` and `integer` to cast to a real integer when possible, added new types of `binary` and `integer!` [wb, 2010-11-30]
* @changes 1.0.0b15 Added documentation about `[sub-key]` syntax, added `[sub-key]` support to ::check() [wb, 2010-09-12]
* @changes 1.0.0b14 Rewrote ::set() to not require recursion for array syntax [wb, 2010-09-12]
* @changes 1.0.0b13 Fixed ::set() to work with `PUT` requests [wb, 2010-06-30]
* @changes 1.0.0b12 Fixed a bug with ::getBestAcceptLanguage() returning the second-best language [wb, 2010-05-27]
* @changes 1.0.0b11 Added ::isAjax() [al, 2010-03-15]
* @changes 1.0.0b10 Fixed ::get() to not truncate integers to the 32bit integer limit [wb, 2010-03-05]
* @changes 1.0.0b9 Updated class to use new fSession API [wb, 2009-10-23]
* @changes 1.0.0b8 Casting to an integer or string in ::get() now properly casts when the `$key` isn't present in the request, added support for date, time, timestamp and `?` casts [wb, 2009-08-25]
* @changes 1.0.0b7 Fixed a bug with ::filter() not properly creating new `$_FILES` entries [wb, 2009-07-02]
* @changes 1.0.0b6 ::filter() now works with empty prefixes and filtering the `$_FILES` superglobal has been fixed [wb, 2009-07-02]
* @changes 1.0.0b5 Changed ::filter() so that it can be called multiple times for multi-level filtering [wb, 2009-06-02]
* @changes 1.0.0b4 Added the HTML escaping functions ::encode() and ::prepare() [wb, 2009-05-27]
* @changes 1.0.0b3 Updated class to use new fSession API [wb, 2009-05-08]
* @changes 1.0.0b2 Added ::generateCSRFToken() from fCRUD::generateRequestToken() and ::validateCSRFToken() from fCRUD::validateRequestToken() [wb, 2009-05-08]
* @changes 1.0.0b The initial implementation [wb, 2007-06-14]
*/
class fRequest
{
// The following constants allow for nice looking callbacks to static methods
const check = 'fRequest::check';
const encode = 'fRequest::encode';
const filter = 'fRequest::filter';
const generateCSRFToken = 'fRequest::generateCSRFToken';
const get = 'fRequest::get';
const getAcceptLanguages = 'fRequest::getAcceptLanguages';
const getAcceptTypes = 'fRequest::getAcceptTypes';
const getBestAcceptLanguage = 'fRequest::getBestAcceptLanguage';
const getBestAcceptType = 'fRequest::getBestAcceptType';
const getValid = 'fRequest::getValid';
const isAjax = 'fRequest::isAjax';
const isDelete = 'fRequest::isDelete';
const isGet = 'fRequest::isGet';
const isHead = 'fRequest::isHead';
const isPost = 'fRequest::isPost';
const isPut = 'fRequest::isPut';
const overrideAction = 'fRequest::overrideAction';
const prepare = 'fRequest::prepare';
const reset = 'fRequest::reset';
const set = 'fRequest::set';
const unfilter = 'fRequest::unfilter';
const validateCSRFToken = 'fRequest::validateCSRFToken';
/**
* A backup copy of `$_FILES` for ::unfilter()
*
* @var array
*/
static private $backup_files = array();
/**
* A backup copy of `$_GET` for ::unfilter()
*
* @var array
*/
static private $backup_get = array();
/**
* A backup copy of `$_POST` for unfilter()
*
* @var array
*/
static private $backup_post = array();
/**
* A backup copy of the local `PUT`/`DELETE` post data for ::unfilter()
*
* @var array
*/
static private $backup_put_delete = array();
/**
* The key/value pairs from the post data of a `PUT`/`DELETE` request
*
* @var array
*/
static private $put_delete = NULL;
/**
* Recursively handles casting values
*
* @param string|array $value The value to be casted
* @param string $cast_to The data type to cast to
* @param integer $level The nesting level of the call
* @return mixed The casted `$value`
*/
static private function cast($value, $cast_to, $level=0)
{
$level++;
$strict_array = substr($cast_to, -2) == '[]';
$array_type = $cast_to == 'array' || $strict_array;
if ($level == 1 && $array_type) {
if (is_string($value) && strpos($value, ',') !== FALSE) {
$value = explode(',', $value);
} elseif ($value === NULL || $value === '') {
$value = array();
} else {
settype($value, 'array');
}
}
// Iterate through array values and cast them individually
if (is_array($value) && ($cast_to == 'array' || $cast_to === NULL || ($strict_array && $level == 1))) {
if ($value === array()) {
return $value;
}
foreach ($value as $key => $sub_value) {
$value[$key] = self::cast($sub_value, $cast_to, $level);
}
return $value;
}
if ($array_type) {
$cast_to = preg_replace('#\[\]$#D', '', $cast_to);
}
if ($cast_to == 'array' && $level > 1) {
$cast_to = 'string';
}
if (get_magic_quotes_gpc() && (self::isPost() || self::isGet())) {
$value = self::stripSlashes($value);
}
// This normalizes an empty element to NULL
if ($cast_to === NULL && $value === '') {
$value = NULL;
} elseif ($cast_to == 'date') {
try {
$value = new fDate($value);
} catch (fValidationException $e) {
$value = new fDate();
}
} elseif ($cast_to == 'time') {
try {
$value = new fTime($value);
} catch (fValidationException $e) {
$value = new fTime();
}
} elseif ($cast_to == 'timestamp') {
try {
$value = new fTimestamp($value);
} catch (fValidationException $e) {
$value = new fTimestamp();
}
} elseif ($cast_to == 'bool' || $cast_to == 'boolean') {
if (strtolower($value) == 'f' || strtolower($value) == 'false' || strtolower($value) == 'no' || !$value) {
$value = FALSE;
} else {
$value = TRUE;
}
} elseif (($cast_to == 'int' || $cast_to == 'integer') && is_string($value) && preg_match('#^-?\d+$#D', $value)) {
// Only explicitly cast integers than can be represented by a real
// PHP integer to prevent truncation due to 32 bit integer limits
if (strval(intval($value)) == $value) {
$value = (int) $value;
}
// This patches PHP bug #53632 for vulnerable versions of PHP - http://bugs.php.net/bug.php?id=53632
} elseif ($cast_to == 'float' && $value === "2.2250738585072011e-308") {
static $vulnerable_to_53632 = NULL;
if ($vulnerable_to_53632 === NULL) {
$running_version = preg_replace(
'#^(\d+\.\d+\.\d+).*$#D',
'\1',
PHP_VERSION
);
$vulnerable_to_53632 = version_compare($running_version, '5.2.17', '<') || (version_compare($running_version, '5.3.5', '<') && version_compare($running_version, '5.3.0', '>='));
}
if ($vulnerable_to_53632) {
$value = "2.2250738585072012e-308";
}
settype($value, 'float');
} elseif ($cast_to != 'binary' && $cast_to !== NULL) {
$cast_to = str_replace('integer!', 'integer', $cast_to);
settype($value, $cast_to);
}
// Clean values coming in to ensure we don't have invalid UTF-8
if (($cast_to === NULL || $cast_to == 'string' || $cast_to == 'array') && $value !== NULL) {
$value = self::stripLowOrderBytes($value);
$value = fUTF8::clean($value);
}
return $value;
}
/**
* Indicated if the parameter specified is set in the `$_GET` or `$_POST` superglobals or in the post data of a `PUT` or `DELETE` request
*
* @param string $key The key to check - array elements can be checked via `[sub-key]` syntax
* @return boolean If the parameter is set
*/
static public function check($key)
{
self::initPutDelete();
$array_dereference = NULL;
if (strpos($key, '[')) {
$bracket_pos = strpos($key, '[');
$array_dereference = substr($key, $bracket_pos);
$key = substr($key, 0, $bracket_pos);
}
if (!isset($_GET[$key]) && !isset($_POST[$key]) && !isset(self::$put_delete[$key])) {
return FALSE;
}
$values = array($_GET, $_POST, self::$put_delete);
if ($array_dereference) {
preg_match_all('#(?<=\[)[^\[\]]+(?=\])#', $array_dereference, $array_keys, PREG_SET_ORDER);
$array_keys = array_map('current', $array_keys);
array_unshift($array_keys, $key);
foreach (array_slice($array_keys, 0, -1) as $array_key) {
foreach ($values as &$value) {
if (!is_array($value) || !isset($value[$array_key])) {
$value = NULL;
} else {
$value = $value[$array_key];
}
}
}
$key = end($array_keys);
}
return isset($values[0][$key]) || isset($values[1][$key]) || isset($values[2][$key]);
}
/**
* Gets a value from ::get() and passes it through fHTML::encode()
*
* @param string $key The key to get the value of - array elements can be accessed via `[sub-key]` syntax
* @param string $cast_to Cast the value to this data type
* @param mixed $default_value If the parameter is not set in the `DELETE`/`PUT` post data, `$_POST` or `$_GET`, use this value instead
* @return string The encoded value
*/
static public function encode($key, $cast_to=NULL, $default_value=NULL)
{
return fHTML::encode(self::get($key, $cast_to, $default_value));
}
/**
* Parses through `$_FILES`, `$_GET`, `$_POST` and the `PUT`/`DELETE` post data and filters out everything that doesn't match the prefix and key, also removes the prefix from the field name
*
* @internal
*
* @param string $prefix The prefix to filter by
* @param mixed $key If the field is an array, get the value corresponding to this key
* @return void
*/
static public function filter($prefix, $key=NULL)
{
self::initPutDelete();
$regex = '#^' . preg_quote($prefix, '#') . '#';
$current_backup = sizeof(self::$backup_files);
self::$backup_files[] = $_FILES;
$_FILES = array();
foreach (self::$backup_files[$current_backup] as $field => $value) {
$matches_prefix = !$prefix || ($prefix && strpos($field, $prefix) === 0);
if ($matches_prefix && is_array($value) && isset($value['name'][$key])) {
$new_field = preg_replace($regex, '', $field);
$_FILES[$new_field] = array();
$_FILES[$new_field]['name'] = $value['name'][$key];
$_FILES[$new_field]['type'] = $value['type'][$key];
$_FILES[$new_field]['tmp_name'] = $value['tmp_name'][$key];
$_FILES[$new_field]['error'] = $value['error'][$key];
$_FILES[$new_field]['size'] = $value['size'][$key];
}
}
$globals = array(
'get' => array('array' => &$_GET, 'backup' => &self::$backup_get),
'post' => array('array' => &$_POST, 'backup' => &self::$backup_post),
'put/delete' => array('array' => &self::$put_delete, 'backup' => &self::$backup_put_delete)
);
foreach ($globals as $refs) {
$current_backup = sizeof($refs['backup']);
$refs['backup'][] = $refs['array'];
$refs['array'] = array();
foreach ($refs['backup'][$current_backup] as $field => $value) {
$matches_prefix = !$prefix || ($prefix && strpos($field, $prefix) === 0);
if ($matches_prefix && is_array($value) && !is_null($key) && isset($value[$key])) {
$new_field = preg_replace($regex, '', $field);
$refs['array'][$new_field] = $value[$key];
} else if ($matches_prefix && is_null($key)) {
$new_field = preg_replace($regex, '', $field);
$refs['array'][$new_field] = $value;
}
}
}
}
/**
* Returns a request token that should be placed in each HTML form to prevent [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery]
*
* This method will return a random 15 character string that should be
* placed in a hidden `input` element on every HTML form. When the form
* contents are being processed, the token should be retrieved and passed
* into ::validateCSRFToken().
*
* The value returned by this method is stored in the session and then
* checked by the validate method, which helps prevent cross site request
* forgeries and (naive) automated form submissions.
*
* Tokens generated by this method are single use, so a user must request
* the page that generates the token at least once per submission.
*
* @param string $url The URL to generate a token for, default to the current page
* @return string The token to be submitted with the form
*/
static public function generateCSRFToken($url=NULL)
{
if ($url === NULL) {
$url = fURL::get();
}
$token = fCryptography::randomString(16);
fSession::add(__CLASS__ . '::' . $url . '::csrf_tokens', $token);
return $token;
}
/**
* Gets a value from the `DELETE`/`PUT` post data, `$_POST` or `$_GET` superglobals (in that order)
*
* A value that exactly equals `''` and is not cast to a specific type will
* become `NULL`.
*
* Valid `$cast_to` types include:
* - `'string'`
* - `'binary'`
* - `'int'`
* - `'integer'`
* - `'bool'`
* - `'boolean'`
* - `'array'`
* - `'date'`
* - `'time'`
* - `'timestamp'`
*
* It is possible to append a `?` to a data type to return `NULL`
* whenever the `$key` was not specified in the request, or if the value
* was a blank string.
*
* The `array` and unspecified `$cast_to` types allow for multi-dimensional
* arrays of string data. It is possible to cast an input value as a
* single-dimensional array of a specific type by appending `[]` to the
* `$cast_to`.
*
* All `string`, `array` or unspecified `$cast_to` will result in the value(s)
* being interpreted as UTF-8 string and appropriately cleaned of invalid
* byte sequences. Also, all low-byte, non-printable characters will be
* stripped from the value. This includes all bytes less than the value of
* 32 (Space) other than Tab (`\t`), Newline (`\n`) and Cariage Return
* (`\r`).
*
* To preserve low-byte, non-printable characters, or get the raw value
* without cleaning invalid UTF-8 byte sequences, plase use the value of
* `binary` for the `$cast_to` parameter.
*
* Any integers that are beyond the range of 32bit storage will be returned
* as a string. The returned value can be forced to always be a real
* integer, which may cause truncation of the value, by passing `integer!`
* as the `$cast_to`.
*
* @param string $key The key to get the value of - array elements can be accessed via `[sub-key]` syntax
* @param string $cast_to Cast the value to this data type - see method description for details
* @param mixed $default_value If the parameter is not set in the `DELETE`/`PUT` post data, `$_POST` or `$_GET`, use this value instead. This value will get cast if a `$cast_to` is specified.
* @param boolean $use_default_for_blank If the request value is a blank string and `$default_value` is specified, this flag will cause the `$default_value` to be returned
* @return mixed The value
*/
static public function get($key, $cast_to=NULL, $default_value=NULL, $use_default_for_blank=FALSE)
{
self::initPutDelete();
$value = $default_value;
$array_dereference = NULL;
if (strpos($key, '[')) {
$bracket_pos = strpos($key, '[');
$array_dereference = substr($key, $bracket_pos);
$key = substr($key, 0, $bracket_pos);
}
if (isset(self::$put_delete[$key])) {
$value = self::$put_delete[$key];
} elseif (isset($_POST[$key])) {
$value = $_POST[$key];
} elseif (isset($_GET[$key])) {
$value = $_GET[$key];
}
if ($value === '' && $use_default_for_blank && $default_value !== NULL) {
$value = $default_value;
}
if ($array_dereference) {
preg_match_all('#(?<=\[)[^\[\]]+(?=\])#', $array_dereference, $array_keys, PREG_SET_ORDER);
$array_keys = array_map('current', $array_keys);
foreach ($array_keys as $array_key) {
if (!is_array($value) || !isset($value[$array_key])) {
$value = $default_value;
break;
}
$value = $value[$array_key];
}
}
// This allows for data_type? casts to allow NULL through
if ($cast_to !== NULL && substr($cast_to, -1) == '?') {
if ($value === NULL || $value === '') {
return NULL;
}
$cast_to = substr($cast_to, 0, -1);
}
return self::cast($value, $cast_to);
}
/**
* Returns the HTTP `Accept-Language`s sorted by their `q` values (from high to low)
*
* @return array An associative array of `{language} => {q value}` sorted (in a stable-fashion) from highest to lowest `q` - if no header was sent, an empty array will be returned
*/
static public function getAcceptLanguages()
{
return self::processAcceptHeader('HTTP_ACCEPT_LANGUAGE');
}
/**
* Returns the HTTP `Accept` types sorted by their `q` values (from high to low)
*
* @return array An associative array of `{type} => {q value}` sorted (in a stable-fashion) from highest to lowest `q` - if no header was sent, an empty array will be returned
*/
static public function getAcceptTypes()
{
return self::processAcceptHeader('HTTP_ACCEPT');
}
/**
* Returns the best HTTP `Accept-Language` (based on `q` value) - can be filtered to only allow certain languages
*
* Special conditions affecting the return value:
* - If no `$filter` is provided and the client does not send the `Accept-Language` header, `NULL` will be returned
* - If no `$filter` is provided and the client specifies `*` with the highest `q`, `NULL` will be returned
* - If `$filter` contains one or more values, but the `Accept-Language` header does not match any, `FALSE` will be returned
* - If `$filter` contains one or more values, but the client does not send the `Accept-Language` header, the first entry from `$filter` will be returned
* - If `$filter` contains two or more values, and two of the values have the same `q` value, the one listed first in `$filter` will be returned
*
* @param array $filter An array of languages that are valid to return - these should be in the form `{language}-{territory}`, e.g. `en-us`
* @param string |$language A language that is valid to return
* @param string |...
* @return string|NULL|FALSE The best language listed in the `Accept-Language` header - see method description for edge cases
*/
static public function getBestAcceptLanguage($filter=array())
{
if (!is_array($filter)) {
$filter = func_get_args();
}
return self::pickBestAcceptItem('HTTP_ACCEPT_LANGUAGE', $filter);
}
/**
* Returns the best HTTP `Accept` type (based on `q` value) - can be filtered to only allow certain types
*
* Special conditions affecting the return value:
* - If no `$filter` is provided and the client does not send the `Accept` header, `NULL` will be returned
* - If no `$filter` is provided and the client specifies `{@*}*` with the highest `q`, `NULL` will be returned
* - If `$filter` contains one or more values, but the `Accept` header does not match any, `FALSE` will be returned
* - If `$filter` contains one or more values, but the client does not send the `Accept` header, the first entry from `$filter` will be returned
* - If `$filter` contains two or more values, and two of the values have the same `q` value, the one listed first in `$filter` will be returned
*
* @param array $filter An array of types that are valid to return
* @param string |$type A type that is valid to return
* @param string |...
* @return string|NULL|FALSE The best type listed in the `Accept` header - see method description for edge cases
*/
static public function getBestAcceptType($filter=array())
{
if (!is_array($filter)) {
$filter = func_get_args();
}
return self::pickBestAcceptItem('HTTP_ACCEPT', $filter);
}
/**
* Gets a value from the `DELETE`/`PUT` post data, `$_POST` or `$_GET` superglobals (in that order), restricting to a specific set of values
*
* @param string $key The key to get the value of - array elements can be accessed via `[sub-key]` syntax
* @param array $valid_values The array of values that are permissible, if one is not selected, picks first
* @return mixed The value
*/
static public function getValid($key, $valid_values)
{
settype($valid_values, 'array');
$valid_values = array_merge(array_unique($valid_values));
$value = self::get($key);
if (!in_array($value, $valid_values)) {
return $valid_values[0];
}
return $value;
}
/**
* Parses post data for `PUT` and `DELETE` HTTP methods
*
* @return void
*/
static private function initPutDelete()
{
if (is_array(self::$put_delete)) {
return;
}
if (self::isPut() || self::isDelete()) {
parse_str(file_get_contents('php://input'), self::$put_delete);
} else {
self::$put_delete = array();
}
}
/**
* Indicates if the URL was accessed via an XMLHttpRequest
*
* @return boolean If the URL was accessed via an XMLHttpRequest
*/
static public function isAjax()
{
return isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest';
}
/**
* Indicates if the URL was accessed via the `DELETE` HTTP method
*
* @return boolean If the URL was accessed via the `DELETE` HTTP method
*/
static public function isDelete()
{
return strtolower($_SERVER['REQUEST_METHOD']) == 'delete';
}
/**
* Indicates if the URL was accessed via the `GET` HTTP method
*
* @return boolean If the URL was accessed via the `GET` HTTP method
*/
static public function isGet()
{
return strtolower($_SERVER['REQUEST_METHOD']) == 'get';
}
/**
* Indicates if the URL was accessed via the `HEAD` HTTP method
*
* @return boolean If the URL was accessed via the `HEAD` HTTP method
*/
static public function isHead()
{
return strtolower($_SERVER['REQUEST_METHOD']) == 'head';
}
/**
* Indicates if the URL was accessed via the `POST` HTTP method
*
* @return boolean If the URL was accessed via the `POST` HTTP method
*/
static public function isPost()
{
return strtolower($_SERVER['REQUEST_METHOD']) == 'post';
}
/**
* Indicates if the URL was accessed via the `PUT` HTTP method
*
* @return boolean If the URL was accessed via the `PUT` HTTP method
*/
static public function isPut()
{
return strtolower($_SERVER['REQUEST_METHOD']) == 'put';
}
/**
* Overrides the value of `'action'` in the `DELETE`/`PUT` post data, `$_POST` or `$_GET` superglobals based on the `'action::{action_name}'` value
*
* This method is primarily intended to be used for hanlding multiple
* submit buttons.
*
* @param string $redirect The url to redirect to if the action is overriden. `%action%` will be replaced with the overridden action.
* @return void
*/
static public function overrideAction($redirect=NULL)
{
self::initPutDelete();
$found = FALSE;
$globals = array(&$_GET, &$_POST, &self::$put_delete);
foreach ($globals as &$global) {
foreach ($global as $key => $value) {
if (substr($key, 0, 8) == 'action::') {
$found = (boolean) $global['action'] = substr($key, 8);
unset($global[$key]);
}
}
}
if ($redirect && $found) {
fURL::redirect(str_replace('%action%', $found, $redirect));
}
}
/**
* Returns the best HTTP `Accept-*` header item match (based on `q` value), optionally filtered by an array of options
*
* @param string $header_name The key in `$_SERVER` that contains the `Accept-*` header to pick the best item from
* @param array $options A list of supported options to pick the best from
* @return string The best accept item, `FALSE` if an options array is specified and none are valid, `NULL` if anything is accepted
*/
static private function pickBestAcceptItem($header_name, $options)
{
settype($options, 'array');
if (!isset($_SERVER[$header_name]) || !strlen($_SERVER[$header_name])) {
if (empty($options)) {
return NULL;
}
return reset($options);
}
$items = self::processAcceptHeader($header_name);
reset($items);
if (!$options) {
$result = key($items);
if ($result == '*/*' || $result == '*') {
$result = NULL;
}
return $result;
}
$top_q = 0;
$top_item = FALSE;
foreach ($options as $option) {
foreach ($items as $item => $q) {
if ($q < $top_q) {
continue;
}
// Type matches have /s
if (strpos($item, '/') !== FALSE) {
$regex = '#^' . str_replace('*', '.*', $item) . '$#iD';
// Language matches that don't have a - are a wildcard
} elseif (strpos($item, '-') === FALSE) {
$regex = '#^' . str_replace('*', '.*', $item) . '(-.*)?$#iD';
// Non-wildcard languages are straight-up matches
} else {
$regex = '#^' . str_replace('*', '.*', $item) . '$#iD';
}
if (preg_match($regex, $option) && $top_q < $q) {
$top_q = $q;
$top_item = $option;
continue;
}
}
}
return $top_item;
}
/**
* Gets a value from ::get() and passes it through fHTML::prepare()
*
* @param string $key The key to get the value of - array elements can be accessed via `[sub-key]` syntax
* @param string $cast_to Cast the value to this data type
* @param mixed $default_value If the parameter is not set in the `DELETE`/`PUT` post data, `$_POST` or `$_GET`, use this value instead
* @return string The prepared value
*/
static public function prepare($key, $cast_to=NULL, $default_value=NULL)
{
return fHTML::prepare(self::get($key, $cast_to, $default_value));
}
/**
* Returns an array of values from one of the HTTP `Accept-*` headers
*
* @param string $header_name The key in `$_SERVER` to get the header value from
* @return array An associative array of `{value} => {quality}` sorted (in a stable-fashion) from highest to lowest `q` - an empty array is returned if the header is empty
*/
static private function processAcceptHeader($header_name)
{
if (!isset($_SERVER[$header_name]) || !strlen($_SERVER[$header_name])) {
return array();
}
$types = explode(',', $_SERVER[$header_name]);
$output = array();
// We use this suffix to force stable sorting with the built-in sort function
$suffix = sizeof($types);
foreach ($types as $type) {
$parts = explode(';', $type);
if (!empty($parts[1]) && preg_match('#^q=(\d(?:\.\d)?)#', $parts[1], $match)) {
$q = number_format((float)$match[1], 5);
} else {
$q = number_format(1.0, 5);
}
$q .= $suffix--;
$output[trim($parts[0])] = $q;
}
arsort($output, SORT_NUMERIC);
foreach ($output as $type => $q) {
$output[$type] = (float) substr($q, 0, -1);
}
return $output;
}
/**
* Resets the configuration and data of the class
*
* @internal
*
* @return void
*/
static public function reset()
{
fSession::clear(__CLASS__ . '::');
self::$backup_files = NULL;
self::$backup_get = NULL;
self::$backup_post = NULL;
self::$backup_put_delete = NULL;
self::$put_delete = NULL;
}
/**
* Sets a value into the appropriate `$_GET` or `$_POST` superglobal, or the local `PUT`/`DELETE` post data based on what HTTP method was used for the request
*
* @param string $key The key to set the value to - array elements can be modified via `[sub-key]` syntax
* @param mixed $value The value to set
* @return void
*/
static public function set($key, $value)
{
if (self::isPost()) {
$tip =& $_POST;
} elseif (self::isGet() || self::isHead()) {
$tip =& $_GET;
} elseif (self::isDelete() || self::isPut()) {
self::initPutDelete();
$tip =& self::$put_delete;
}
if ($bracket_pos = strpos($key, '[')) {
$array_dereference = substr($key, $bracket_pos);
$key = substr($key, 0, $bracket_pos);
preg_match_all('#(?<=\[)[^\[\]]+(?=\])#', $array_dereference, $array_keys, PREG_SET_ORDER);
$array_keys = array_map('current', $array_keys);
array_unshift($array_keys, $key);
foreach (array_slice($array_keys, 0, -1) as $array_key) {
if (!isset($tip[$array_key]) || !is_array($tip[$array_key])) {
$tip[$array_key] = array();
}
$tip =& $tip[$array_key];
}
$tip[end($array_keys)] = $value;
} else {
$tip[$key] = $value;
}
}
/**
* Removes low-order bytes from a value
*
* @param string|array $value The value to strip
* @return string|array The `$value` with low-order bytes stripped
*/
static private function stripLowOrderBytes($value)
{
if (is_array($value)) {
foreach ($value as $key => $sub_value) {
$value[$key] = self::stripLowOrderBytes($sub_value);
}
return $value;
}
return preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]#', '', $value);
}
/**
* Removes slashes from a value
*
* @param string|array $value The value to strip
* @return string|array The `$value` with slashes stripped
*/
static private function stripSlashes($value)
{
if (is_array($value)) {
foreach ($value as $key => $sub_value) {
$value[$key] = self::stripSlashes($sub_value);
}
return $value;
}
return stripslashes($value);
}
/**
* Returns `$_GET`, `$_POST` and `$_FILES` and the `PUT`/`DELTE` post data to the state they were at before ::filter() was called
*
* @internal
*
* @return void
*/
static public function unfilter()
{
if (self::$backup_get === array()) {
throw new fProgrammerException(
'%1$s can only be called after %2$s',
__CLASS__ . '::unfilter()',
__CLASS__ . '::filter()'
);
}
$_FILES = array_pop(self::$backup_files);
$_GET = array_pop(self::$backup_get);
$_POST = array_pop(self::$backup_post);
self::$put_delete = array_pop(self::$backup_put_delete);
}
/**
* Validates a request token generated by ::generateCSRFToken()
*
* This method takes a request token and ensures it is valid, otherwise
* it will throw an fValidationException.
*
* @throws fValidationException When the CSRF token specified is invalid
*
* @param string $token The request token to validate
* @param string $url The URL to validate the token for, default to the current page
* @return void
*/
static public function validateCSRFToken($token, $url=NULL)
{
if ($url === NULL) {
$url = fURL::get();
}
$key = __CLASS__ . '::' . $url . '::csrf_tokens';
$tokens = fSession::get($key, array());
if (!in_array($token, $tokens)) {
throw new fValidationException(
'The form submitted could not be validated as authentic, please try submitting it again'
);
}
$tokens = array_diff($tokens, array($token));;
fSession::set($key, $tokens);
}
/**
* Forces use as a static class
*
* @return fRequest
*/
private function __construct() { }
}
/**
* Copyright (c) 2007-2011 Will Bond <will@flourishlib.com>, others
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/