How to handle arrays in request payload (i.e. $_GET and $_POST)? #15441

wurst-hans · 2021-04-28T18:15:58Z

wurst-hans
Apr 28, 2021

Imagine a simple form

$form = new Form();
$form->add(
    (new Text('firstname'))
);
$form->add(
    new Submit('submit', ['value' => 'Submit'])
);
if ($this->request->isPost() && $form->isValid($_POST)) {
    // ...
}
return $this->view
    ->setVars(['form' => $form])
    ->render('sso/signup');

Imagine now, that a script kiddie modifies POST payload and sending firstname[]=hacked instead of firstname=john. Then, Phalcon will throw an exception:

Phalcon\Tag\Exception: Value at index: 'value' type: 'array' cannot be rendered in /var/www/forms%%input.volt.php:14
Stack trace:
#0 [internal function]: Phalcon\Tag::renderAttributes()
#1 [internal function]: Phalcon\Tag::inputField()
#2 [internal function]: Phalcon\Tag::textField()
#3 [internal function]: Phalcon\Forms\Element\Text->render()

Sure, this is a rare case, but it can happen. It's fatal to pass $_POST (as suggest in documentation) to form. Now, what's a clean way to sanitize payload, that form accepts only string values?
Just for notice: I've tried it with ->setFilters(['string']) already, but same thing.

wurst-hans · 2021-04-30T14:33:15Z

wurst-hans
Apr 30, 2021
Author

BTW: I've found some websites made with Phalcon now, that are using pagination for example. Simply modifying query parameter ?page=2 to ?page[]=2 crashes most sites and returns a 500 error. So, most people seem not to be aware of the fact, that ingoing parameters are not sanitized by default.
For this reason, it's absolutely important for me, to find a ways (i.e. best practise) for sanitizing $_POST data before it comes to form validation or form rendering.

0 replies

Jeckerson · 2021-05-03T11:55:33Z

Jeckerson
May 3, 2021
Maintainer

Could you please create an issue with described examples and desired functionality?

1 reply

wurst-hans May 3, 2021
Author

This is not an issue, really. I just want to talk about best practise to handle non-scalar $_GET and $_POST data, else application will die with HTTP 500 error. Currently I have to add an custom isScalar validator to each form field which is not very handy.

While writing this, I thought it would be good to have a global middleware that can be called on beforeValidation event. Sadly, the form component of Phalcon is not bound to event manager, so I have to add a beforeValidation method to each form class, which also is not very handy. If form component would be able to fire events via event manager this problem of crappy $_POST data might be solved in a smooth way.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The Phalcon PHP Framework

How to handle arrays in request payload (i.e. $_GET and $_POST)? #15441

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

The Phalcon PHP Framework

How to handle arrays in request payload (i.e. $_GET and $_POST)? #15441

wurst-hans Apr 28, 2021

Replies: 2 comments · 1 reply

wurst-hans Apr 30, 2021 Author

Jeckerson May 3, 2021 Maintainer

wurst-hans May 3, 2021 Author

wurst-hans
Apr 28, 2021

Replies: 2 comments 1 reply

wurst-hans
Apr 30, 2021
Author

Jeckerson
May 3, 2021
Maintainer

wurst-hans May 3, 2021
Author