├── .htaccess ├── LICENSE ├── README.md ├── api └── save_user.php ├── router.php ├── routes.php └── views ├── 404.php ├── full_name.php ├── index.php └── user.php /.htaccess: -------------------------------------------------------------------------------- 1 | RewriteEngine On 2 | RewriteCond %{REQUEST_URI} !(\.png|\.jpg|\.webp|\.gif|\.jpeg|\.zip|\.css|\.svg|\.js|\.pdf)$ 3 | RewriteRule (.*) routes.php [QSA,L] 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PHP ROUTER 2 | 3 | Secure router with XSS and CSRF 4 | 5 | 1. Download the file ".htaccess" and place it under the root directory (html, htdocs, or www) of your web server 6 | 7 | 2. Download the file "router.php" and place it under the root directory (html, htdocs, or www) of your web server 8 | 9 | 3. Download the file "routes.php" and place it under the root directory (html, htdocs, or www) of your web server 10 | 11 | In the browser go to "localhost" or "127.0.0.1" and you should see the word "Index" displayed in the website. 12 | 13 | Feel free to delete all the routes in the "routes.php" file and create your own. Most likely you want to keep the last route for "Page not found". 14 | 15 | For details about routing, visit https://phprouter.com 16 | -------------------------------------------------------------------------------- /api/save_user.php: -------------------------------------------------------------------------------- 1 | '; 99 | } 100 | 101 | function is_csrf_valid() 102 | { 103 | session_start(); 104 | if (!isset($_SESSION['csrf']) || !isset($_POST['csrf'])) { 105 | return false; 106 | } 107 | if ($_SESSION['csrf'] != $_POST['csrf']) { 108 | return false; 109 | } 110 | return true; 111 | } 112 | -------------------------------------------------------------------------------- /routes.php: -------------------------------------------------------------------------------- 1 | http://localhost 11 | // The output -> Index 12 | get('/', 'views/index.php'); 13 | 14 | // Dynamic GET. Example with 1 variable 15 | // The $id will be available in user.php 16 | get('/user/$id', 'views/user'); 17 | 18 | // Dynamic GET. Example with 2 variables 19 | // The $name will be available in full_name.php 20 | // The $last_name will be available in full_name.php 21 | // In the browser point to: localhost/user/X/Y 22 | get('/user/$name/$last_name', 'views/full_name.php'); 23 | 24 | // Dynamic GET. Example with 2 variables with static 25 | // In the URL -> http://localhost/product/shoes/color/blue 26 | // The $type will be available in product.php 27 | // The $color will be available in product.php 28 | get('/product/$type/color/$color', 'product.php'); 29 | 30 | // A route with a callback 31 | get('/callback', function(){ 32 | echo 'Callback executed'; 33 | }); 34 | 35 | // A route with a callback passing a variable 36 | // To run this route, in the browser type: 37 | // http://localhost/user/A 38 | get('/callback/$name', function($name){ 39 | echo "Callback executed. The name is $name"; 40 | }); 41 | 42 | // Route where the query string happends right after a forward slash 43 | get('/product', ''); 44 | 45 | // A route with a callback passing 2 variables 46 | // To run this route, in the browser type: 47 | // http://localhost/callback/A/B 48 | get('/callback/$name/$last_name', function($name, $last_name){ 49 | echo "Callback executed. The full name is $name $last_name"; 50 | }); 51 | 52 | // ################################################## 53 | // ################################################## 54 | // ################################################## 55 | // Route that will use POST data 56 | post('/user', '/api/save_user'); 57 | 58 | 59 | 60 | // ################################################## 61 | // ################################################## 62 | // ################################################## 63 | // any can be used for GETs or POSTs 64 | 65 | // For GET or POST 66 | // The 404.php which is inside the views folder will be called 67 | // The 404.php has access to $_GET and $_POST 68 | any('/404','views/404.php'); 69 | -------------------------------------------------------------------------------- /views/404.php: -------------------------------------------------------------------------------- 1 |