Initialising request variables the correct way

From Joomla! Documentation

Revision as of 19:12, 9 May 2008 by Maintenance script

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Initialising variables the correct way (because of globals.php)

if ( !$sectionid && @$_POST['filter_sectionid'] ) {
         $sectionid = $_POST['filter_sectionid'];

This style of code is a source of potential injection. You should use mosGetParam with a default, eg:

$filter_sectionid= mosGetParam( $_POST, 'filter_sectionid', 0 );

If you are expecting an integer you could use:

$filter_sectionid= intval( mosGetParam( $_POST, 'filter_sectionid' ) );

If it's text to be later used in a query you should also do the following:

$filter_sectionid= mosGetParam( $_POST, 'filter_sectionid', ); $filter_sectionid= $database->getEscaped( $filter_sectionid); // or $filter_sectionid= $database->Quote( $filter_sectionid);

We should never ever see the use of @$_GET or @$_POST, etc, in the code

By default, mosGetParam trims and strips html out of the input to make it quite safe to use in most places (except the db).

Back to the Startpage