Actions

Difference between revisions of "Initialising request variables the correct way"

From Joomla! Documentation

(Importing text file)
(Added category and adjusted layout)
 
(One intermediate revision by one user not shown)
Line 1: Line 1:
=== Initialising variables the correct way (because of globals.php) ===
+
''{{JVer|1.0}} This article applies to Joomla! 1.0''
  
 
<source lang="php">
 
<source lang="php">
Line 7: Line 7:
 
</source>
 
</source>
  
This style of code is a source of potential injection.  You should use
+
This style of code is a source of potential injection.  You should use mosGetParam with a default, eg:
mosGetParam with a default, eg:
+
  
 +
<source lang="php">
 
$filter_sectionid= mosGetParam( $_POST, 'filter_sectionid', 0 );
 
$filter_sectionid= mosGetParam( $_POST, 'filter_sectionid', 0 );
 +
</source>
  
 
If you are expecting an integer you could use:
 
If you are expecting an integer you could use:
  
 +
<source lang="php">
 
$filter_sectionid= intval( mosGetParam( $_POST, 'filter_sectionid' ) );
 
$filter_sectionid= intval( mosGetParam( $_POST, 'filter_sectionid' ) );
 +
</source>
  
 
If it's text to be later used in a query you should also do the following:
 
If it's text to be later used in a query you should also do the following:
  
 +
<source lang="php">
 
$filter_sectionid= mosGetParam( $_POST, 'filter_sectionid', '' );
 
$filter_sectionid= mosGetParam( $_POST, 'filter_sectionid', '' );
 
$filter_sectionid= $database->getEscaped( $filter_sectionid);
 
$filter_sectionid= $database->getEscaped( $filter_sectionid);
 
// or
 
// or
 
$filter_sectionid= $database->Quote( $filter_sectionid);
 
$filter_sectionid= $database->Quote( $filter_sectionid);
 +
</source>
  
We should never ever see the use of @$_GET or @$_POST, etc, in the code
+
We should never ever see the use of @$_GET or @$_POST, etc, in the code.
  
By default, mosGetParam trims and strips html out of the input to make
+
By default, mosGetParam trims and strips html out of the input to make it quite safe to use in most places (except the db).
it quite safe to use in most places (except the db).
+
  
[[:start|Back to the Startpage]]
+
[[Category:Development]]
 +
[[Category:Tutorials]]

Latest revision as of 09:16, 15 January 2011

Joomla 1.0 This article applies to Joomla! 1.0

if ( !$sectionid && @$_POST['filter_sectionid'] ) {
         $sectionid = $_POST['filter_sectionid'];
}

This style of code is a source of potential injection. You should use mosGetParam with a default, eg:

$filter_sectionid= mosGetParam( $_POST, 'filter_sectionid', 0 );

If you are expecting an integer you could use:

$filter_sectionid= intval( mosGetParam( $_POST, 'filter_sectionid' ) );

If it's text to be later used in a query you should also do the following:

$filter_sectionid= mosGetParam( $_POST, 'filter_sectionid', '' );
$filter_sectionid= $database->getEscaped( $filter_sectionid);
// or
$filter_sectionid= $database->Quote( $filter_sectionid);

We should never ever see the use of @$_GET or @$_POST, etc, in the code.

By default, mosGetParam trims and strips html out of the input to make it quite safe to use in most places (except the db).