Actions

Initialising request variables the correct way

From Joomla! Documentation

Revision as of 09:16, 15 January 2011 by Mvangeest (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Joomla 1.0 This article applies to Joomla! 1.0

if ( !$sectionid && @$_POST['filter_sectionid'] ) {
         $sectionid = $_POST['filter_sectionid'];
}

This style of code is a source of potential injection. You should use mosGetParam with a default, eg:

$filter_sectionid= mosGetParam( $_POST, 'filter_sectionid', 0 );

If you are expecting an integer you could use:

$filter_sectionid= intval( mosGetParam( $_POST, 'filter_sectionid' ) );

If it's text to be later used in a query you should also do the following:

$filter_sectionid= mosGetParam( $_POST, 'filter_sectionid', '' );
$filter_sectionid= $database->getEscaped( $filter_sectionid);
// or
$filter_sectionid= $database->Quote( $filter_sectionid);

We should never ever see the use of @$_GET or @$_POST, etc, in the code.

By default, mosGetParam trims and strips html out of the input to make it quite safe to use in most places (except the db).