Friday, July 27, 2012

CodeIgniter, Twilio Validation and You

One of my projects involves accepting POST requests from Twilio using CodeIgniter. I validate the requests as documented here, but I noticed every once in awhile a valid Twilio request would be rejected.

As part of the Input class of CodeIgniter, the $_POST array is sanitized and cleaned before your controller methods are executed. To clarify, I understand that:

$this->input->post('some_var');

has XSS filtering performed on it, but even if in your controller you do something with $_POST['some_var'], it is still potentially modified from the _sanitize_globals method in the Input class.

Here's one example. If you post "Body => test\r\n", you get the following:

// var_dump($_POST['Body']);
// Should be 6 characters long

string(5) "test
"
// var_dump(strpos($_POST['Body'], "\r"));

bool (false)

By extending CI_Input, you can get the $_POST array before it is potentially modified, which you can then use to validate requests from Twilio.


completely_raw_post = $_POST;
        parent::__construct();
    }
}

/* End of file MY_Input.php */
/* Location: ./application/core/MY_Input.php */


Hooray!

P.S. Does anyone have any suggestions for formatting code on Blogger?

No comments:

Post a Comment