Request variables in Konsolidate's Breed tier
(we assume a working Konsolidate instance to be in $K)
- Konsolidate - http://konsolidate.nl
- Breed - https://github.com/rspieker/konsolidate_breed
There are a couple of ways to work with Breed's Request object
Given the GET request: http://example.com/request.php?foo=bar
The implicit approach, just asking Request itself, which will determine the appropriate request type (GET in this case) and look up the variable
$foo = $K->get('/Request/foo');
The explicit approach, asking Request to obtain the variable from the GET RequestType module
$foo = $K->get('/Request/GET/foo');
This is the same as the trainwreck notation, should you prefer that:
$foo = $K->Request->GET->foo;
Substitute GET for the desired request type
POST:
$foo = $K->get('/Request/POST/foo');
DELETE:
$foo = $K->get('/Request/DELETE/foo');
PUT:
$foo = $K->get('/Request/PUT/foo');
Note that all request types other than GET will always also create the GET type, which catches the variables added to the querystring
Mixing request types
Imagine a POST request which posts 'foo=bar' but also has 'foo=baz' in the URL query string:
e.g.: curl -X POST --data "foo=bar" "http://example.com/request.php?foo=baz"
$foo = $K->get('/Request/foo');
returns 'bar', as the variable is read from the POST buffer (as this is the actual request type)
$foo = $K->get('/Request/GET/foo');
returns 'baz', as the variable is explicitly read from the GET buffer
$foo = $K->get('/Request/POST/foo');
returns 'bar', as the variable is read explicitly from the POST buffer
Tampered requests
PHP has some oddities in how it processes request variables
NULL byte injection: If a variable name contains a NULL byte, only the part of the name up to the NULL byte is used.
This behavior is used by malicious visitors to trick applications
e.g.: curl -X POST --data "foo%00led=bar" "http://example.com/request.php?foo=baz"
The Breed Request will attempt (!) to protect against this atck vector
$foo = $K->get('/Request/foo');
returns false, as the variable is read from the POST buffer, but cannot be trusted
$foo = $K->get('/Request/GET/foo');
returns 'baz', as the variable is explicitly read from the GET buffer
$foo = $K->get('/Request/POST/foo');
returns false, as the variable is read explicitly from the POST buffer, but cannot be trusted
As you can see, the Breed Request will not provide the value of 'foo' (nor 'foo%00led', which would not have been known to PHP anyway, unless you where using a POST with "Content-type: multipart/form-data"
, then the foo%00led
variable WILL be known)