-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathrest.php
111 lines (105 loc) · 2.94 KB
/
rest.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
<?php
require_once("rest/inc/config.php");
require_once("rest/inc/auth.php");
require_once("rest/inc/response.php");
require_once("rest/inc/restdb.php");
/*url=/rest/{object}/{method}?params...*/
function find_handler($path)
{
global $g_maps;
$route_path = substr($path, 5);
if($g_maps && isset($g_maps[$route_path])){
$object = $g_maps[$route_path]['class'];
$action = $g_maps[$route_path]['method'];
}else if(preg_match('/^\/rest\/(\w+)\/(\w+)\/?[^\/]*$/i',$path,$ret)){
$object = $ret[1];
$action = $ret[2];
}
if(isset($object) && isset($action)){
try {
$class_file = CLASSES_PATH . "/${object}.php";
if(file_exists ( $class_file )){
require_once($class_file);
$class = new ReflectionClass($object);
if ($class->isInstantiable()) {
return array('class'=>$class->newInstance(),'method'=>new ReflectionMethod($object, $action));
}
}
}catch(Exception $e){}
}
return null;
}
/*extract params from http requeset*/
function extract_params()
{
return array_merge($_POST,$_GET);
}
/*check sql injection*/
function check_param_safe($input)
{
if(preg_match("/['=]/",$input)){
return false;
}else{
return true;
}
}
function check_method_params($method,$params)
{
$ret = array();
$func_args = $method->getParameters();
for($i=0;$i<count($func_args);$i++){
$arg_name = $func_args[$i]->getName();
if(isset($params[$arg_name])){
if(!check_param_safe($params[$arg_name])){
//echo "check_method_params 1:$arg_name\n";
return null;
}
array_push($ret,$params[$arg_name]);
}else if($func_args[$i]->isOptional() || $func_args[$i]->isDefaultValueAvailable()){
continue;
}
else{
//echo "check_method_params 2:$arg_name\n";
return null;
}
}
return $ret;
}
/*check the ticket*/
$ticket=isset($_COOKIE["ticket"])?$_COOKIE["ticket"]:null;
$resobj= new response();
if($ticket && !auth::check_ticket($ticket)){
$resobj->set(array('code'=>403,'body'=>"ticket invalid!"));
goto RES_CLIENT;
}
/*extract a clean and standard path like /rest/xxx/xxx/xxx*/
function filter_path()
{
$path = preg_replace('/\\|\\\\|\/\//','/',$_SERVER["REQUEST_URI"]);
$path = preg_replace('/\?[^\/]*$/','',$path);
$path = preg_replace('/\/$/','',$path);
return $path;
}
/*find the api handler method*/
$handler = find_handler(filter_path());
if($handler){
$params = check_method_params($handler['method'],extract_params());
if(!$params && !is_array($params)){
$resobj->set(array('code'=>500,'body'=>"params invalid!"));
goto RES_CLIENT;
}
try{
$resobj = $handler['method']->invokeArgs ($handler['class'],$params);
}catch(ForbiddenException $e){
$resobj->set(array('code'=>403,'body'=>$e->getMessage()));
}catch (Exception $e) { // Will be caught
$resobj->set(array('code'=>500,'body'=>$e->getMessage()));
}
}
else{
$resobj->set(array('code'=>404));
}
/*response json to client*/
RES_CLIENT:
$resobj->flush();
?>