I am using an MVC, am I the right filter on these GET variables?

[cgm225]

I am using an MVC, am I the right filter on these GET variables, or should I be validating/filtering with a different filter/preg match?

 

        //The next two lines are ternary operators, a sort of short-hand for if-else
        $module= isset($_GET["module"]) ? filter_input(INPUT_GET, 'module', FILTER_SANITIZE_STRING) : "home";
        $action = isset($_GET["action"]) ? filter_input(INPUT_GET, 'action', FILTER_SANITIZE_STRING) : "frontpage";

[cgm225]

bump

[discomatt]

Personally, I would attempt to match them them within an array of installed modules or actions.

[cgm225]

What if I don't have a list of installed modules.  Are these filters the right way to go?

[discomatt]

Well, there's no gaurantee they're not trying to access a module they don't have access to... or one they shouldn't be looking at. But as far as stripping unwanted characters and preventing injection... it seems fine.

 

Personally, I'd use a regex function with a white list of allowed characters... gives you a little more control.

 

This code strips anything that isn't a letter, number, underscore or hyphen

 

$regex = '/[^-_A-z0-9]++/';

$module = preg_replace($regex, '', $_GET['module']);
$action = preg_replace($regex, '', $_GET['action']);

 

Or you can fail completely on an injection attempt

 

$regex = '/[^-_A-z0-9]/';
if ( preg_match($regex, $_GET['module']) || preg_match($regex, $_GET['action']) ) {
    // injection attempt detected
    exit('Invalid input variables detected');
}

 

 

[cgm225]

Thank you!