Retrieving and Filtering GET and POST requests with JRequest::getVar

Revision as of 01:28, 18 April 2009

Summary

When writing any web application, it is crucial that you filter input data before using it. Joomla! provides a set of filtering libraries to help you accomplish this.

JRequest 'getVar' method

To retrieve GET/POST request data, Joomla! uses the getVar method of the JRequest class (JRequest::getVar()).

Retrieving Data

If you have a form variable named 'address', you would want to use this code to get it:

EXAMPLE:

$address = JRequest::getVar('address');

Unless other parameters are set, all HTML and trailing whitespace will be filtered out.

The DEFAULT Parameter

If you want to specify a default value in the event that 'address' is not in the request or is unset, use this code:

$address = JRequest::getVar('address', 'Address is empty');
echo $address;  // Address is empty

EXAMPLE: The SOURCE Parameter

Frequently, you will expect your variable to be found in a specific portion of the HTTP request (POST, GET, etc...). If this is the case, you should specify which portion; this will slightly increase your extension's security. If you expect 'address' to only be in POST, use this code to enforce that:

EXAMPLE:

$address = JRequest::getVar('address', 'default value goes here', 'post');

VARIABLE TYPE Parameter

The fourth parameter of getVar() can be used to specify certain filters to force validation of specific value types for the variable.

EXAMPLE:

$address = JRequest::getVar('address', 'default value goes here', 'post','variable type');

Here is a list of types you can validate:

INT
INTEGER
FLOAT
DOUBLE
BOOL
BOOLEAN
WORD
ALNUM
CMD
BASE64
STRING
ARRAY
PATH
USERNAME

FILTER MASK Parameter

Finally, there are some mask constants you can pass in as the fifth parameter that allow you to bypass portions of the filtering: EXAMPLE:

$address = JRequest::getVar('address', 'default value goes here', 'post','validation type','mask type');

JREQUEST_NOTRIM - prevents trimming of whitespace
JREQUEST_ALLOWRAW - bypasses filtering
JREQUEST_ALLOWHTML - allows most HTML. If this is not passed in, HTML is stripped out by default.

For more information: Joomla! API [[1]]

Definition

The class JRequest is defined in the following location.

libraries\joomla\environment\request.php

@@ Line 7: / Line 7: @@
-== JRequest functions ==
+== JRequest 'getVar' method ==
+To retrieve GET/POST request data, Joomla! uses the getVar method of the JRequest class (JRequest::getVar()).
-Under most circumstances, you will want to use member functions the JRequest class to get request variables. The most common case is when you want to use a specific variable found in either the GET or POST portion of the HTTP request. If you have a form variable named 'address', you would want to use this code to get it:
+'''Retrieving Data'''
+If you have a form variable named 'address', you would want to use this code to get it:
+''EXAMPLE:''
 <pre>
 $address = JRequest::getVar('address');
 </pre>
-By setting $address this way, getVar() strips out all HTML and trailing whitespace. If you want to specify a default value in the event that 'address' is not in the request or is unset, use this code:
+Unless other parameters are set, all HTML and trailing whitespace will be filtered out.
+'''The DEFAULT Parameter'''
+If you want to specify a default value in the event that 'address' is not in the request or is unset, use this code:
 <pre>
-$address = JRequest::getVar('address', 'default value goes here');
+$address = JRequest::getVar('address', 'Address is empty');
+echo $address;  // Address is empty
 </pre>
+''EXAMPLE:''
+'''The SOURCE Parameter'''
 Frequently, you will expect your variable to be found in a specific portion of the HTTP request (POST, GET, etc...). If this is the case, you should specify which portion; this will slightly increase your extension's security. If you expect 'address' to only be in POST, use this code to enforce that:
+''EXAMPLE:''
 <pre>
 $address = JRequest::getVar('address', 'default value goes here', 'post');
 </pre>
-The fourth parameter of getVar() can be used to specify certain filters to force validation of specific value types for the variable. Here is a list of types you can validate:
+'''VARIABLE TYPE Parameter'''
+The fourth parameter of getVar() can be used to specify certain filters to force validation of specific value types for the variable.
+''EXAMPLE:''
+<pre>
+$address = JRequest::getVar('address', 'default value goes here', 'post','variable type');
+</pre>
+Here is a list of types you can validate:
 *INT
@@ Line 43: / Line 65: @@
 *PATH
 *USERNAME
+'''FILTER MASK Parameter'''
 Finally, there are some mask constants you can pass in as the fifth parameter that allow you to bypass portions of the filtering:
+''EXAMPLE:''
+<pre>
+$address = JRequest::getVar('address', 'default value goes here', 'post','validation type','mask type');
+</pre>
 *JREQUEST_NOTRIM - prevents trimming of whitespace
 *JREQUEST_ALLOWRAW - bypasses filtering
 *JREQUEST_ALLOWHTML - allows most HTML. If this is not passed in, HTML is stripped out by default.
+----
+For more information:
+Joomla! API [[http://api.joomla.org/Joomla-Framework/Environment/JRequest.html]]
 == Definition ==

Retrieving and Filtering GET and POST requests with JRequest::getVar

Revision as of 01:28, 18 April 2009

Summary

JRequest 'getVar' method

Definition

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Joomla! Sites

Toolbox