How should I be filtering/validating these GET variables?

[cgm225]

I am using a php front controller, in which I GET two variables from the URL which are used to identify directory names, class filenames, and/or class names.  The code I am using is as such:

 

        $module= !empty($_GET["module"]) ? $_GET["module"] : "home";
        $action = !empty($_GET["action"]) ? $_GET["action"] : "frontpage";

 

However, I know I am never to trust external data passed to my script, so what type of filtering/validation should I be doing on these two GET variables?

 

Thanks in advance!

[laffin]

directory names, shud go further down the directory root, so ya want to avoid '..'

 

which ya can check with realpath function

 

class names, if u know what to expect, store them in an array and do a comparison check, in_array function

[cgm225]

If I run the following filter, should that be enough?:

 

FILTER_SANITIZE_STRING

[lordfrikk]

You probably want to avoid directory traversal attack so you should at least check if those values aren't "..", then probably something like is_dir(realpath($_GET['module'])). But if I'm not mistaken If you're using MVC pattern, then you can't use directory traversal attack because you're not pointing to directories but specific controllers.