Filtering GET values

[KevinM1]

My website -- a simple online store -- uses values passed by the GET method for navigation.  So, there is just one script that shows every sub-category of merchandise, with each category being passed along as the GET value in the URL.  For security reasons, I've created a sort of whitelist (as opposed to a blacklist) of approved values.  My function is basically this (values changed to protect the security of my site):

<?php

function isSafe($getInfo){
   if(preg_match("/^(desktops)|(laptops)|(accessories)$/i", $getInfo)){
      return TRUE;
   }

   else{
      return FALSE;
   }
}

?>

 

Unfortunately, I just found out through testing something else that this isn't as safe as I'd like it to be.  In my case, I found out that something like 'gaming_accessories' is treated as if it was just 'accessories', so the script was able to execute, even though it returned no values for that category because the category is empty.  Any ideas on how I can have strict enforcement of my category values?

[obsidian]

Unfortunately, I just found out through testing something else that this isn't as safe as I'd like it to be.  In my case, I found out that something like 'gaming_accessories' is treated as if it was just 'accessories'

 

I've seen some shopping cart functions that do like to allow for parent and sub categories to be passed as one argument, simply separated by an underscore for separation later. The issue then arises that you may need to run some checks before the shopping cart script ever begins parsing the URL itself. Something as simple as setting up an array of all possible value or a switch statement should suffice for exact matching rather than having to break out the regexp matching in this case.