Difference between revisions of "Retrieving and Filtering GET and POST requests with JRequest::getVar"

Revision as of 15:23, 3 February 2013

The "J1.5" namespace is an archived namespace. This page contains information for a Joomla! version which is no longer supported. It exists only as a historical reference, it will not be improved and its content may be incomplete and/or contain broken links.

General Information

When writing any web application, it is crucial that you filter input data before using it. Joomla! provides a filtering library to help you accomplish this.

You can access the filtered request data using the JRequest class. Even though PHP allows you to access the data from the request using the superglobal arrays $_GET, $_POST and $_REQUEST, it is highly recommended to use JRequest instead of these superglobals. By using JRequest properly, you make sure that the data has the right format and its default value makes sense. This can prevent serious security holes such as SQL injection vulnerabilities.

Defined in[edit]

libraries\joomla\environment\request.php

Methods[edit]

'getVar'[edit]

To retrieve GET/POST request data, Joomla! uses the getVar method of the JRequest class (JRequest::getVar()).

Retrieving Data

If you have a form variable named 'address', you would want to use this code to get it:

$address = JRequest::getVar('address');

Unless other parameters are set, all HTML and trailing whitespace will be filtered out.

The DEFAULT Parameter

If you want to specify a default value in the event that 'address' is not in the request or is unset, use this code:

$address = JRequest::getVar('address', 'Address is empty');
echo $address;  // Address is empty

The SOURCE Parameter

Frequently, you will expect your variable to be found in a specific portion of the HTTP request (POST, GET, etc...). If this is the case, you should specify which portion; this will slightly increase your extension's security. If you expect 'address' to only be in POST, use this code to enforce that:

$address = JRequest::getVar('address', 'default value goes here', 'post');

The VARIABLE TYPE Parameter

The fourth parameter of getVar() can be used to specify certain filters to force validation of specific value types for the variable.

$address = JRequest::getVar('address', 'default value goes here', 'post','variable type');

Here is a list of types you can validate:

INT
INTEGER
FLOAT
DOUBLE
BOOL
BOOLEAN
WORD
ALNUM
CMD
BASE64
STRING
ARRAY
PATH
USERNAME

The FILTER MASK Parameter

Finally, there are some mask constants you can pass in as the fifth parameter that allow you to bypass portions of the filtering:

$address = JRequest::getVar('address', 'default value goes here', 'post','validation type',mask type);

JREQUEST_NOTRIM - prevents trimming of whitespace
JREQUEST_ALLOWRAW - bypasses filtering
JREQUEST_ALLOWHTML - allows most HTML. If this is not passed in, HTML is stripped out by default.

Note. These are static variables not strings. Do not use quotes around them

'get'[edit]

To receive a whole array filtered. If you would want to get the POST data, you can use this.

JRequest::get( 'post' )

This returns the standard POST array. You can use it on a template page if needed, or in the models section if convenient. It returns the most recent POST. Methods of this object were not found in the Framework section where one would expect to find them.

@@ Line 1: / Line 1: @@
-{{stub}}
+{{Notice|In Joomla! 2.5 {{JVer|2.5}} and newer, <code>JRequest</code> has been superseded by <code>JInput</code>. See [[Retrieving request data using JInput]].}}
+When writing any web application, it is crucial that you filter input data before using it. Joomla! provides a filtering library to help you accomplish this.
-== Summary ==
+You can access the filtered request data using the <code>JRequest</code> class. Even though PHP allows you to access the data from the request using the superglobal arrays <code>$_GET</code>, <code>$_POST</code> and <code>$_REQUEST</code>, it is highly recommended to use <code>JRequest</code> '''instead of''' these superglobals. By using <code>JRequest</code> properly, you make sure that the data has the right format and its default value makes sense. This can prevent serious security holes such as SQL injection vulnerabilities.
-When writing any web application, it is crucial that you filter input data before using it. Joomla! provides a set of filtering libraries to help you accomplish this.
+===Defined in===
+libraries\joomla\environment\request.php
+==Methods==
-== JRequest 'getVar' method ==
+=== 'getVar' ===
 To retrieve GET/POST request data, Joomla! uses the getVar method of the JRequest class (JRequest::getVar()).
@@ Line 13: / Line 16: @@
 If you have a form variable named 'address', you would want to use this code to get it:
+<source lang="php">
-''EXAMPLE:''
-<pre>
 $address = JRequest::getVar('address');
-</pre>
+</source>
 Unless other parameters are set, all HTML and trailing whitespace will be filtered out.
@@ Line 25: / Line 26: @@
 If you want to specify a default value in the event that 'address' is not in the request or is unset, use this code:
-<pre>
+<source lang="php">
 $address = JRequest::getVar('address', 'Address is empty');
 echo $address;  // Address is empty
-</pre>
+</source>
 '''The SOURCE Parameter'''
@@ Line 34: / Line 35: @@
 Frequently, you will expect your variable to be found in a specific portion of the HTTP request (POST, GET, etc...). If this is the case, you should specify which portion; this will slightly increase your extension's security. If you expect 'address' to only be in POST, use this code to enforce that:
-''EXAMPLE:''
+<source lang="php">
-<pre>
 $address = JRequest::getVar('address', 'default value goes here', 'post');
-</pre>
+</source>
 '''The VARIABLE TYPE Parameter'''
@@ Line 43: / Line 43: @@
 The fourth parameter of getVar() can be used to specify certain filters to force validation of specific value types for the variable.
-''EXAMPLE:''
+<source lang="php">
-<pre>
 $address = JRequest::getVar('address', 'default value goes here', 'post','variable type');
-</pre>
+</source>
 Here is a list of types you can validate:
@@ Line 68: / Line 67: @@
 Finally, there are some mask constants you can pass in as the fifth parameter that allow you to bypass portions of the filtering:
-''EXAMPLE:''
+<source lang="php">
-<pre>
+$address = JRequest::getVar('address', 'default value goes here', 'post','validation type',mask type);
-$address = JRequest::getVar('address', 'default value goes here', 'post','validation type','mask type');
+</source>
-</pre>
 *JREQUEST_NOTRIM - prevents trimming of whitespace
@@ Line 77: / Line 75: @@
 *JREQUEST_ALLOWHTML - allows most HTML. If this is not passed in, HTML is stripped out by default.
-== Definition ==
+Note. These are static variables not strings. Do not use quotes around them
-The class JRequest is defined in the following location.
-libraries\joomla\environment\request.php
-The JRequest api page can be found here.
+=== 'get' ===
+To receive a whole array filtered. If you would want to get the POST data, you can use this.
+<source lang="php">JRequest::get( 'post' )</source>
+<nowiki>This returns the standard POST array.  You can use it on a template page if needed, or in the models section if convenient. It returns the most recent POST.
+Methods of this object were not found in the Framework section where one would expect to find them. </nowiki>
-[[http://api.joomla.org/Joomla-Framework/Environment/JRequest.html]]
+==See also==
+* [http://api.joomla.org/1.5/Joomla-Framework/Environment/JRequest.html JRequest on api.joomla.org]
+* [[JURI]]
+* [[JRoute]]
 [[Category:Development]]

J1.5

Difference between revisions of "Retrieving and Filtering GET and POST requests with JRequest::getVar"

From Joomla! Documentation

Revision as of 15:23, 3 February 2013

Contents

Defined in[edit]

Methods[edit]

'getVar'[edit]

'get'[edit]

See also[edit]