<?php
/**
* Code related to the request.lib.php interface.
*
* PHP version 5
*
* @category Library
* @package Sucuri
* @subpackage SucuriScanner
* @author Daniel Cid <
[email protected]>
* @copyright 2010-2018 Sucuri Inc.
* @license https://www.gnu.org/licenses/gpl-2.0.txt GPL2
* @link https://wordpress.org/plugins/sucuri-scanner
*/
if (!defined('SUCURISCAN_INIT') || SUCURISCAN_INIT !== true) {
if (!headers_sent()) {
/* Report invalid access if possible. */
header('HTTP/1.1 403 Forbidden');
}
exit(1);
}
/**
* HTTP request handler.
*
* Function definitions to retrieve, validate, and clean the parameters during a
* HTTP request, generally after a form submission or while loading a URL. Use
* these methods at most instead of accessing an index in the global PHP
* variables _POST, _GET, _REQUEST since they may come with insecure data.
*
* @category Library
* @package Sucuri
* @subpackage SucuriScanner
* @author Daniel Cid <
[email protected]>
* @copyright 2010-2018 Sucuri Inc.
* @license https://www.gnu.org/licenses/gpl-2.0.txt GPL2
* @link https://wordpress.org/plugins/sucuri-scanner
*/
class SucuriScanRequest extends SucuriScan
{
/**
* Returns the value of the _GET, _POST or _REQUEST key.
*
* You can pass an additional parameter to execute a regular expression that
* will return False if the value doesn't matches what the RegExp defined.
* Very useful to filter user input besides form validations.
*
* @param array $list The array where the specified key will be searched.
* @param string $key Name of the variable contained in _POST.
* @param string $pattern Optional pattern to match allowed values.
* @return array|string|bool Value from the global _GET or _POST variable.
*/
private static function request($list = array(), $key = '', $pattern = '')
{
$key = self::varPrefix((string) $key);
if (!is_array($list) || !isset($list[$key])) {
return false;
}
$key_value = $list[$key]; /* raw request parameter */
/* if the request data is an array, then only cast the value. */
if ($pattern === '_array' && is_array($key_value)) {
return (array) $key_value;
}
/* match WordPress nonce */
if ($pattern === '_nonce') {
$pattern = '[a-z0-9]{10}';
}
/* match valid page identifier */
if ($pattern === '_page') {
$pattern = '[a-z_]+';
}
/* match every data format */
if ($pattern === '') {
$pattern = '.*';
}
/* check the format of the request data with a regex defined above. */
if (@preg_match('/^' . $pattern . '$/', $key_value)) {
return self::escape($key_value);
}
return false;
}
/**
* Returns the value stored in a specific index in the global _GET variable,
* you can specify a pattern as the second argument to match allowed values.
*
* @param string $key Name of the variable contained in _GET.
* @param string $pattern Optional pattern to match allowed values.
* @return array|string Value from the global _GET variable.
*/
public static function get($key = '', $pattern = '')
{
return self::request($_GET, $key, $pattern);
}
/**
* Returns the value stored in a specific index in the global _POST variable,
* you can specify a pattern as the second argument to match allowed values.
*
* @param string $key Name of the variable contained in _POST.
* @param string $pattern Optional pattern to match allowed values.
* @return array|string Value from the global _POST variable.
*/
public static function post($key = '', $pattern = '')
{
return self::request($_POST, $key, $pattern);
}
/**
* Returns the value stored in a specific index in the global _REQUEST variable,
* you can specify a pattern as the second argument to match allowed values.
*
* @param string $key Name of the variable contained in _REQUEST.
* @param string $pattern Optional pattern to match allowed values.
* @return array|string Value from the global _REQUEST variable.
*/
public static function getOrPost($key = '', $pattern = '')
{
return self::request($_REQUEST, $key, $pattern);
}
}