Securing POST data in Router

Question

I am trying to figure out the best way of sanitizing and to some degree validating POST data that is sent to my app.

I made this function that resides in my Router and is called in the __constructor if($_POST) is present:

private function validatePost()
  {
    foreach($_POST as $key => $value) {
      if(preg_match('/[^a-zA-Z]/', $key))
      {
        $this->throwError('POST Error', 'Invalid index name.');
        return;
      }
      if(strlen($value) > $this->postLimit && $this->postLimit != -1)
      {
        $this->throwError('POST Error', 'Posted value to large.');
        return;
      }
      if(substr($key, -2, 2) == 'id' && !is_numeric($value))
      {
        $this->throwError('POST Error', 'Expected a number, didn\'t get one.');
        return;
      }
      else
      {
        //$value = urlencode($value);
      }
      $_POST[$key] = $value;
    }
  }

It is a little strict on purpose but that doesn't matter if I stick to the rules I have made throughout my framework.

I have read that limiting the size of $_POST really helps in thwarting some attacks, in this case I put -1 for no/default limit (but it can be set to less if needed in my config file).

I commented out the urlencoding as I am currently unsure of the best way to decode it when it arrives at the intended function. Should I encode it at all and what would be the best way to decode it? Perhaps in the master Controller that all my classes extend from or not?

Any other suggestions are welcome.

Answer 1

If you want to limit the size of POST requests, then the best option is to do it at the level of webserver itself. There are tools for that. Since you most like are using Apache, then you could look into mod_security. Other webservers will have similar options.

When limiting the size of POST request, one of the risk is the amount of memory that is used for the execution of page. If the data is already in the $_POST then you are too late.

As for validation and sanitation it should be done either in domain objects, presentation entities or sql ... You validate the logic of input in domain objects. You walidate the structure of data in the SQL constraints. And you sanitize the output in the presentation entities (I don't link to call them "presentation models" because it adds to the confusing about MVC).

The routing mechanism in MVC (which is what "front controller is an aspect of) should just take the input from the user and organize it in a structured Request instance. This intance then is used by controller's action to pass data on to model layer.

Routing should not be validating the input.