From 0fece80ed014f7b57646f0d5ab299ef3d2040c4a Mon Sep 17 00:00:00 2001
From: Joshua Ramon Enslin <joshua@museum-digital.de>
Date: Wed, 19 Aug 2020 15:32:15 +0200
Subject: [PATCH] Add functionality to restrict allowed values taken from get
 via MD_STD_IN

---
 MD_STD_IN.php | 36 +++++++++++++++++++++++++-----------
 1 file changed, 25 insertions(+), 11 deletions(-)

diff --git a/MD_STD_IN.php b/MD_STD_IN.php
index b6d1ec1..ccc2e3a 100644
--- a/MD_STD_IN.php
+++ b/MD_STD_IN.php
@@ -57,20 +57,27 @@ class MD_STD_IN {
      * Retrieves HTTP input texts from GET or POST variables, whatever is provided.
      * If neither is given, returns a provided default.
      *
-     * @param string $var_name Variable name.
-     * @param string $default  Default value for the output.
+     * @param string        $var_name Variable name.
+     * @param string        $default  Default value for the output.
+     * @param array<string> $allowed  List of allowed values. Defaults to empty (all values allowed).
      *
      * @return string
      */
-    final public static function get_http_input_text(string $var_name, string $default = ""):string {
+    final public static function get_http_input_text(string $var_name, string $default = "", array $allowed = []):string {
 
         if (isset($_GET[$var_name])) {
-            return self::sanitize_text($_GET[$var_name]);
+            $output = self::sanitize_text($_GET[$var_name]);
         }
         else if (isset($_POST[$var_name])) {
-            return self::sanitize_text($_POST[$var_name]);
+            $output = self::sanitize_text($_POST[$var_name]);
         }
-        else return self::sanitize_text($default);
+        else $output = self::sanitize_text($default);
+
+        if (!empty($allowed) and !in_array($output, $allowed)) {
+            Throw new MDpageParameterNotFromListException("Parameter `{$var_name}` must be any of the allowed values: " . implode(', ', $allowed));
+        }
+
+        return $output;
 
     }
 
@@ -78,17 +85,24 @@ class MD_STD_IN {
      * Retrieves HTTP input texts from POST variables.
      * If none is given, returns a provided default.
      *
-     * @param string $var_name Variable name.
-     * @param string $default  Default value for the output.
+     * @param string        $var_name Variable name.
+     * @param string        $default  Default value for the output.
+     * @param array<string> $allowed  List of allowed values. Defaults to empty (all values allowed).
      *
      * @return string
      */
-    final public static function get_http_post_text(string $var_name, string $default = ""):string {
+    final public static function get_http_post_text(string $var_name, string $default = "", array $allowed = []):string {
 
         if (isset($_POST[$var_name])) {
-            return self::sanitize_text($_POST[$var_name]);
+            $output = self::sanitize_text($_POST[$var_name]);
         }
-        else return self::sanitize_text($default);
+        else $output = self::sanitize_text($default);
+
+        if (!empty($allowed) and !in_array($output, $allowed)) {
+            Throw new MDpageParameterNotFromListException("Parameter `{$var_name}` must be any of the allowed values: " . implode(', ', $allowed));
+        }
+
+        return $output;
 
     }