A Simple Front End Controller in PHP

A Front End Controller is part of an MVC pattern.

The controller receives input and initiates a response by making calls on model objects. An MVC application may be a collection of model/view/controller triplets, each responsible for a different UI element. MVC is often seen in web applications where the view is the HTML or XHTML generated by the app. The controller receives GET or POST input and decides what to do with it, handing over to domain objects (i.e. the model) that contain the business rules and know how to carry out specific tasks such as processing a new subscription.


People tend to think up very complex solutions for Front End Controllers in PHP. However the only thing a Front End Controller needs to do is act as a switchboard between view and model. It is also the part of the application that is most prone to attacks as you can manipulate URL’s and thereby attack or subvert the controller logic in giving you access to functions you’re not entitled to. For my NIST RBAC API PHP implementation I have made a simple and secure controller that I want to share. Code follows below:

If no action has been set the Default action will be called

$url_action = (empty($_REQUEST['action'])) ? 'Default' : $_REQUEST['action'];

Filter the GET/POST action parameter to allow only alphabetic characters because this is a main entry point to the program logic and therefore an interesting target for URL manipulation

if (!ctype_alpha($url_action)) {
    trigger_error('Action string has been tampered with, request terminated', E_USER_ERROR);
}

Check whether the action is set (it should be because it is filled with a default value anyway), then check whether the function exists by calling it and then call the function on behalf of the controller. Any error conditions are raised through trigger_error and the execution stops.

if (isset($url_action)) {
    if (is_callable($url_action)) {
        call_user_func($url_action);
    } else {
        trigger_error('Function does not exist, request terminated', E_USER_ERROR);
    }
} else {
    trigger_error('Function does not exist, request terminated', E_USER_ERROR);
}

End of the Front End Controller code. Subsequent code consists of view functions.

Complete code:

$url_action = (empty($_REQUEST['action'])) ? 'Default' : $_REQUEST['action'];
if (!ctype_alpha($url_action)) {
    trigger_error('Action string has been tampered with, request terminated', E_USER_ERROR);
}
if (isset($url_action)) {
    if (is_callable($url_action)) {
        call_user_func($url_action);
    } else {
        trigger_error('Function does not exist, request terminated', E_USER_ERROR);
    }
} else {
    trigger_error('Function does not exist, request terminated', E_USER_ERROR);
}

The controller checks whether the url_action consists of alphabetic characters, if so whether the function that is called exists and if the function exists it calls the function on behalf of the request. The function itself needs to check whether the user is entitled to accessing the function. This can be done through the NIST RBAC PHP API of which I will post later.

The names of the action need to be reflected in the function names, i.e. an ?action=AddUser will direct the user to function AddUser(). If this is undesirable you need to add a mapping table like:

$url_mapping = array('UrlAction' => 'NameoftheFunction' ...);

And you can then loop through that array and match up the url action with the proper function name.

  • Koen

    I’m interested to see you NIST RBAC API PHP implementation. Is there something available to check out?

    • Meint Post

      I’m nearly there, I need two weeks to finish the testing and then I will release the software on this site. I can send you an email to notify you of that if you want.

    • Koen

      An email would be nice thanks.