Request Environment

Every HTTP request (usually originated by a browser) contains additional information regarding the request such as header data, files, variables, etc. A web based application needs to parse that information so as to provide the correct response back to the requester. Phalcon\Http\Request encapsulates the information of the request, allowing you to access it in an object-oriented way.

  1. <?php
  3. use Phalcon\Http\Request;
  5. // Getting a request instance
  6. $request = new Request();
  8. // Check whether the request was made with method POST
  9. if ($request->isPost()) {
  10.     // Check whether the request was made with Ajax
  11.     if ($request->isAjax()) {
  12.         echo 'Request was made using POST and AJAX';
  13.     }
  14. }

Getting Values

PHP automatically fills the superglobal arrays $_GET and $_POST depending on the type of the request. These arrays contain the values present in forms submitted or the parameters sent via the URL. The variables in the arrays are never sanitized and can contain illegal characters or even malicious code, which can lead to SQL injection or Cross Site Scripting (XSS) attacks.

Phalcon\Http\Request allows you to access the values stored in the $_REQUEST, $_GET and $_POST arrays and sanitize or filter them with the filter service, (by default Phalcon\Filter). The following examples offer the same behavior:

  1. <?php
  3. use Phalcon\Filter;
  5. $filter = new Filter();
  7. // Manually applying the filter
  8. $email = $filter->sanitize($_POST['user_email'], 'email');
  10. // Manually applying the filter to the value
  11. $email = $filter->sanitize($request->getPost('user_email'), 'email');
  13. // Automatically applying the filter
  14. $email = $request->getPost('user_email', 'email');
  16. // Setting a default value if the param is null
  17. $email = $request->getPost('user_email', 'email', '[email protected]');
  19. // Setting a default value if the param is null without filtering
  20. $email = $request->getPost('user_email', null, '[email protected]');

Accessing the Request from Controllers

The most common place to access the request environment is in an action of a controller. To access the Phalcon\Http\Request object from a controller you will need to use the $this->request public property of the controller:

  1. <?php
  3. use Phalcon\Mvc\Controller;
  5. class PostsController extends Controller
  6. {
  7.     public function indexAction()
  8.     {
  10.     }
  12.     public function saveAction()
  13.     {
  14.         // Check if request has made with POST
  15.         if ($this->request->isPost()) {
  16.             // Access POST data
  17.             $customerName = $this->request->getPost('name');
  18.             $customerBorn = $this->request->getPost('born');
  19.         }
  20.     }
  21. }

Uploading Files

Another common task is file uploading. Phalcon\Http\Request offers an object-oriented way to achieve this task:

  1. <?php
  3. use Phalcon\Mvc\Controller;
  5. class PostsController extends Controller
  6. {
  7.     public function uploadAction()
  8.     {
  9.         // Check if the user has uploaded files
  10.         if ($this->request->hasFiles()) {
  11.             $files = $this->request->getUploadedFiles();
  13.             // Print the real file names and sizes
  14.             foreach ($files as $file) {
  15.                 // Print file details
  16.                 echo $file->getName(), ' ', $file->getSize(), '\n';
  18.                 // Move the file into the application
  19.                 $file->moveTo(
  20.                     'files/' . $file->getName()
  21.                 );
  22.             }
  23.         }
  24.     }
  25. }

Each object returned by Phalcon\Http\Request::getUploadedFiles() is an instance of the Phalcon\Http\Request\File class. Using the $_FILES superglobal array offers the same behavior. Phalcon\Http\Request\File> encapsulates only the information related to each file uploaded with the request.

Working with Headers

As mentioned above, request headers contain useful information that allow us to send the proper response back to the user. The following examples show usages of that information:

  1. <?php
  3. // Get the Http-X-Requested-With header
  4. $requestedWith = $request->getHeader('HTTP_X_REQUESTED_WITH');
  6. if ($requestedWith === 'XMLHttpRequest') {
  7.     echo 'The request was made with Ajax';
  8. }
  10. // Same as above
  11. if ($request->isAjax()) {
  12.     echo 'The request was made with Ajax';
  13. }
  15. // Check the request layer
  16. if ($request->isSecure()) {
  17.     echo 'The request was made using a secure layer';
  18. }
  20. // Get the servers's IP address. ie. 192.168.0.100
  21. $ipAddress = $request->getServerAddress();
  23. // Get the client's IP address ie. 201.245.53.51
  24. $ipAddress = $request->getClientAddress();
  26. // Get the User Agent (HTTP_USER_AGENT)
  27. $userAgent = $request->getUserAgent();
  29. // Get the best acceptable content by the browser. ie text/xml
  30. $contentType = $request->getAcceptableContent();
  32. // Get the best charset accepted by the browser. ie. utf-8
  33. $charset = $request->getBestCharset();
  35. // Get the best language accepted configured in the browser. ie. en-us
  36. $language = $request->getBestLanguage();
  38. // Check if a header exists
  39. if ($request->hasHeader('my-header')) {
  40.     echo "Mary had a little lamb";
  41. }

Events

When using HTTP authorization, the Authorization header has the following format:

  1. Authorization: <type> <credentials>

where <type> is an authentication type. A common type is Basic. Additional authentication types are described in IANA registry of Authentication schemes and Authentication for AWS servers (AWS4-HMAC-SHA256). In 99.99% use cases the authentication type is:

  • AWS4-HMAC-SHA256
  • Basic
  • Bearer
  • Digest
  • HOBA
  • Mutual
  • Negotiate
  • OAuth
  • SCRAM-SHA-1
  • SCRAM-SHA-256
  • vapid
    You can use the request:beforeAuthorizationResolve and request:afterAuthorizationResolve events to perform additional operations before or after the authorization resolves. A custom authorization resolver is required.

Example without using custom authorization resolver:

  1. <?php
  3. use Phalcon\Http\Request;
  5. $_SERVER['HTTP_AUTHORIZATION'] = 'Enigma Secret';
  7. $request = new Request();
  8. print_r($request->getHeaders());

Result:

  1. Array
  2. (
  3.     [Authorization] => Enigma Secret
  4. )
  6. Type: Enigma
  7. Credentials: Secret

Example using custom authorization resolver:

  1. <?php
  3. use Phalcon\Di;
  4. use Phalcon\Events\Event;
  5. use Phalcon\Http\Request;
  6. use Phalcon\Events\Manager;
  8. class NegotiateAuthorizationListener
  9. {
  10.     public function afterAuthorizationResolve(Event $event, Request $request, array $data)
  11.     {
  12.         if (empty($data['server']['CUSTOM_KERBEROS_AUTH'])) {
  13.             return false;
  14.         }
  16.         list($type,) = explode(' ', $data['server']['CUSTOM_KERBEROS_AUTH'], 2);
  18.         if (!$type || stripos($type, 'negotiate') !== 0) {
  19.             return false;
  20.         }
  22.         return [
  23.            'Authorization'=> $data['server']['CUSTOM_KERBEROS_AUTH'],
  24.         ];
  25.     }
  26. }
  28. $_SERVER['CUSTOM_KERBEROS_AUTH'] = 'Negotiate a87421000492aa874209af8bc028';
  30. $di = new Di();
  32. $di->set('eventsManager', function () {
  33.     $manager = new Manager();
  34.     $manager->attach('request', new NegotiateAuthorizationListener());
  36.     return $manager;
  37. });
  39. $request = new Request();
  40. $request->setDI($di);
  42. print_r($request->getHeaders());

Result:

  1. Array
  2. (
  3.     [Authorization] => Negotiate a87421000492aa874209af8bc028
  4. )
  6. Type: Negotiate
  7. Credentials: a87421000492aa874209af8bc028