0

I'm working on an API endpoint that takes a POST request of form x-www-form-urlencoded. This mostly takes your typical set of string values, but in some cases, the values can be an array, which come in as duplicate keys, like so:

name1=foo&name2=bar&arr=value1&arr=value2&arr=value3

I want to end up with the following:

[
  'name1' => 'foo',
  'name2' => 'bar',
  'arr' => [value1, value2, value3]
]

I've tried the following:

filter_input_array(INPUT_POST, [
  'name1' => FILTER_SANITIZE_STRING,
  'name2' => FILTER_SANITIZE_STRING,
  'arr' => [
    'filter' => FILTER_DEFAULT,
    'flags' => FILTER_FORCE_ARRAY
  ]
]);

which gives me

(
    [name1] => foo
    [name2] => bar
    [arr] => Array
        (
            [0] => value3
        )

)

and

parse_str(file_get_contents("php://input"), $params);

which gives me:

(
    [name1] => foo
    [name2] => bar
    [arr] => value3
)

In both cases, the duplicate keys are overwritten, and I only get the last value.

The top comment of the parse_str function mentions that it does not parse duplicate keys in the CGI standard way, and presents a hefty function to manually parse out the fields.

I'm wondering if there is a simpler way to do this, I simply want to get a sanitized array of all the input from the x-www-form-urlencoded POST call.

Ideally just something like

return filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING); // also FILTER_SANITIZE_ARRAY for duplicate keys

Is there any function that can accomplish this basic task, or do I really need to roll my own? If so, what's the best way to blanket sanitize an arbitrary user-input array coming in via this POST method, since I would wind up just using a function similar to that in the linked comment above?

ShaneOH
  • 1,454
  • 1
  • 17
  • 29
  • You send an array like this `arr[]=value1&arr[]=value2&arr[]=value3` – AbraCadaver Jul 22 '20 at 20:17
  • @AbraCadaver’s suggestion is a good one! Could you add your html/JavaScript as well? – Rolf Jul 22 '20 at 20:21
  • Does this answer your question? [Passing arrays as url parameter](https://stackoverflow.com/questions/1763508/passing-arrays-as-url-parameter) – ArSeN Jul 22 '20 at 20:29
  • Yeah that is a good suggestion, ultimately I do have control of the frontend so I could change the structure (or even change to JSON input if I want), but I was hoping for a method in which I didn't have to modify the JS code/POST input, as that code is shared across many different services and I wanted it to remain as generic as possible, as opposed to having different logic for this service, if that makes sense! – ShaneOH Jul 22 '20 at 20:36
  • @ArSeN It's a bit unrelated since the input will be coming from a separate JS frontend, not via PHP, I'm looking for a solution given this specific input before going in and having to modify the JS frontend to send a differently formatted input to the PHP backend – ShaneOH Jul 22 '20 at 20:38
  • I see. I am not sure this is possible with the way PHP accepts Input though. – ArSeN Jul 22 '20 at 20:41
  • I suppose this question is close enough to https://stackoverflow.com/questions/353379/how-to-get-multiple-parameters-with-same-name-from-a-url-in-php which has some answers. Doesn't seem like there's a native or clean way to do what I'm looking for, so I'll close this and point to the best answer being to either manually parse the input or change the input if you do have control over that aspect – ShaneOH Jul 23 '20 at 10:05

0 Answers0