Moved internal verification to the new Input/Verify module

rspieker · Aug 28, 2013 · b9b2410 · b9b2410
1 parent 2eac6cb
commit b9b2410
Showing 1 changed file with 4 additions and 65 deletions.
diff --git a/request/type.class.php b/request/type.class.php
@@ -20,6 +20,7 @@ public function __construct($parent, $type=null)
 		$this->_type    = strToLower(!empty($type) ? $type : $_SERVER['REQUEST_METHOD']);
 		$this->_protect = $this->get('/Config/Request/protect_' . $this->_type, $this->get('/Config/Request/protect', true));
 		$this->_verify  = $this->get('/Config/Request/verify_' . $this->_type, $this->get('/Config/Request/verify', true));
+
 		$this->_collect();
 	}
 
@@ -51,7 +52,9 @@ public function __set($name, $value)
 	protected function _populate($collection, $buffer=null)
 	{
 		foreach ($collection as $key=>$value)
-			$this->_property[$key] = $this->_verify ? $this->_verifyVariable($buffer, $key, $value) : $value;
+			$this->_property[$key] = $this->_verify
+				? $this->call('/Input/Verify/bufferValue', $buffer, $key, $value)
+				: $value;
 	}
 
 	/**
@@ -100,70 +103,6 @@ protected function _collect()
 		}
 	}
 
-	/**
-	 *  Verify given key to exist in the buffer with the same value and strip out NULL bytes from values
-	 *  @name    _verifyVariable
-	 *  @type    method
-	 *  @access  protected
-	 *  @param   string buffer
-	 *  @param   string key
-	 *  @param   mixed  value (one of string or array)
-	 *  @return  mixed  value (one of string, array of boolean false if the value is not verified)
- 	 *  @note    This method will enhance security but does not guarantee absolute safety, always check user input!
-	 */
-	protected function _verifyVariable($buffer, $key, $value)
-	{
-		if (!empty($buffer))
-			switch (gettype($value))
-			{
-				case 'string':
-					//  see if the given GET/POST variable can be found in the buffer
-					if (preg_match_all('/(' . preg_quote($key) . '=[^&]*)/', $buffer, $match))
-					{
-						//  prepare the key for easier matching (we need to process the match we put into
-						//  parse_str the same way)
-						$key = preg_replace('/[\[\]]+/', '_', $key);
-						//  traverse last to first, as PHP does in fact overwrite previously set value, it is more
-						//  likely to find what we are looking for in the last matches
-						for ($i = count($match[0]) - 1; $i >= 0; --$i)
-						{
-							parse_str(preg_replace('/[\[\]]+/', '_', $match[1][$i]), $test);
-
-							if (isset($test[$key]) && $test[$key] === $value)
-							{
-								if (strpos($value, "\0"))
-									$value = str_replace("\0", '', $value);
-								return $value;
-							}
-						}
-					}
-					return false;
-					break;
-
-				case 'array':
-					//  arrays require a little more loving than straight up matching, here we need to match keys and
-					//  values, hence an array will stay an array but will get its values set to false if they're
-					//  tampered with
-					foreach ($value as $k=>$v)
-					{
-						$test = Array($key . '[' . $k . ']');
-						if (is_numeric($k))
-							array_unshift($test, $key . '[]');
-
-						foreach ($test as $pattern)
-						{
-							$value[$k] = $this->_verifyVariable($buffer, $pattern, $v);
-							if ($value[$k])
-								break;
-						}
-					}
-
-					return $value;
-					break;
-			}
-		return $value;
-	}
-
 	/*  ArrayAccess implementation */
 	public function offsetGet($offset)
 	{