Dev & Tech Notes
Terms & Conditions ©2005-2024 TJohns.co
Articles in this Category
- Apple -vs- FBI... will this determine the future of cyber crime?
- Force HTTPS for Site with an SSL
- Getting Variables from URLs in Joomla
- Let's Encrypt at SSL for Free [ZeroSSL is Garbage]
- Secure way to work with the Database
- Security Procedures for Accessing Joomla Database
- Test Your Site for Malware
Top Left Text cha
Web & App Development
- Details
- Written by Timothy Johns
- Category: Website Security
- Hits: 1309
Usually your content management system will handle this, but if you by chance are hand-coding a site from scratch, you'll have to take care of the redirection from http to https to make sure the site is secure. Below is the code that needs to go in the .htaccess file.
RewriteEngine On
RewriteEngine OnRewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
- Details
- Written by Timothy Johns
- Category: Website Security
- Hits: 1852
I've been using SSLforFree.com for a while now... for some of my sites and also my clients. It's cool that it's free, even though it only lasts for 3 months. Here's the problem...
They remind you when your certificate is about to expire. You get an email at midnight saying it will expire in 1 day. By the time you wake up, it's expired. If you have no traffic on your site, or very low traffic, it's probably not a big deal. However, if you do have traffic or regular visitors, you don't want the certificate to run out. What are you supposed to do? Get out of bed at midnight and update the certificate? I can't help but think that they know what's going on. They coded their own software most likely, so they have control over this. I don't know what their motive is behind making your certificates expire while giving you a false sense of security, but it must be something.
I still use the service, but I do NOT trust them to notify me when my certificate will expire. I use Google reminders/calendar to do that now. And I tell my clients to do the same since you can't trust their notifications.
- Details
- Written by Timothy Johns
- Category: Website Security
- Hits: 2726
Secure coding guidelines
reference: joomla.org
Joomla includes many features that help with the task of securing applications and extensions built on it. You should always use these features if at all possible as they have been tried and tested by the many eyes of the developer community and any updates that might conceivably be required in the future will be automatically available whenever a Joomla update is applied. What follows is a description of best practice in using the Joomla API to ensure that your extensions are as secure as possible.
Contents
[hide]
Getting data from the request
Starting with Joomla version 3.0, JInput should be used instead of JRequest.
All input originating from a user must be considered potentially dangerous and must be cleaned before being used. You should always use the Joomla JInput class to retrieve data from the request, rather than the raw $_GET, $_POST or $_REQUEST variables as the JInput methods apply input filtering by default. JInput deals with all aspects of the user request in a way that is independent of the request method used. It can also be used to retrieve cookie data and even server and environment variables. However, it is important to use the correct JInputmethod to ensure maximum security. It is very easy to just use the JInput->get method with default parameters and ignore the fact that in many cases it is possible to apply a more stringent requirement on user input.
It very important to understand that the JInput methods are not SQL-aware and further work is required to guard against SQL injection attacks.There is no default value that will be returned if no default is specified in the call theJInput->get. If no default is specified and the argument is not present in the request variable then it will return undefined.
Using JInput also obviates the need to pay attention to the setting of magic_quotes_gpc. JInput does the right thing, regardless of whether magic_quotes_gpc is on or off. Seehttp://php.net/manual/en/security.magicquotes.php for further information.
When considering user input you should think about the data type you are expecting to retrieve and apply the most stringent form of JInput that is applicable in each case. In particular, avoid the lazy approach of using JInput->get as this will return an array that may contain entries that you did not expect and although each of those entries will have been cleaned, it is often the case that additional filtering could have been applied to some individual arguments. For example, the get method treats all arguments as strings, whereas it may be possible to restrict some arguments to be integers.
The first three parameters of each of the JInput get methods are the same. Only the first parameter is mandatory. In general, the format is
JFactory::getApplication->input-><data-source>->get<type>( <name>, <default> )
where
<type> | the data type to be retrieved (see below for the types available). |
<name> | the name of the variable to be retrieved (for example, the name of an argument in a URL). |
<default> | the default value. |
<data-source> | specifies where the variable is to be retrieved from (see below). |
The following values for <data-source> are supported:
get | Data submitted in the query part of the URL. |
post | Data submitted from form fields. |
method | The same as either GET or POST depending on how the request was made. |
cookie | Data submitted in cookies. |
request | All the GET, POST and COOKIE data combined. This is the default. |
files | Information about files uploaded as part of a POST request. |
env | Environment variables (platform-specific). |
server | Web server variables (platform-specific). |
Notice that the default is REQUEST, which includes cookie data.
The following sections look at each of the data types in more detail.
Integer
The following will accept an integer. An integer can include a leading minus sign, but a plus sign is not permitted.
$integer = JFactory::getApplication->input->getInt( 'id' );
will return the value of the "id" argument from the request (which by default includes all GET, POST and COOKIE data). The default value is zero.
$integer = JFactory::getApplication->input->cookie->getInt( 'myId', 12 );
will return the value of the "myId" variable from a cookie, with a default value of 12.
Floating point number
A floating point number can include a leading minus sign, but not a plus sign. If the number includes a decimal point, then there must be at least one digit before the decimal point. For example,
$float = JFactory::getApplication->input->getFloat( 'price' );
will return the value of the 'price' argument from the request. The default is "0.0".
$float = JFactory::getApplication->input->post->getFloat( 'total', 100.00 );
will retrieve the value of the 'total' argument from a POST request (but not a GET), with a default value of 100.00.
Boolean value
Any non-zero value is regarded as being true; zero is false.
$boolean = JFactory::getApplication->input->getBool( 'show' );
will return false if the value of the 'show' argument in the request is zero, or 1 (true) if the argument is anything else. The default is false. Note that any string argument will result in a return value of true, so calling the above with a URL containing "?show=false" will actually return true!
$boolean = JFactory::getApplication->input->get->getBool( 'hide', true );
will retrieve the value of the 'hide' argument from a GET request (but not a POST), with a default value of true.
Word
A word is defined as being a string of alphabetic characters. The underscore character is permitted as part of a word.
$word = JFactory::getApplication->input->cookie->getWord( 'search-word' );
will retrieve the value of the 'search-word' argument from the request. The default is an empty string.
$word = JFactory::getApplication->input->cookie->getWord( 'keyword', '' );
will retrieve the value of the 'keyword' variable from a cookie, with the default being an empty string.
Command
A command is like a word but a wider range of characters is permitted. Allowed characters are: all alphanumeric characters, dot, dash (hyphen) and underscore.
$command = JFactory::getApplication->input->getCmd( 'option' );
will retrieve the value of the "option" argument from the request. The default value is an empty string.
$command = JFactory::getApplication->input->post->getCmd( 'controller', 'view' );
will retrieve the value of the "controller" argument from a POST request (but not a GET), with a default value of 'view'.
String
The string type allows a much wider range of input characters. It also takes an optional fourth argument specifying some additional mask options. See #Filter options for information on the available masks.
$string = JFactory::getApplication->input->getString( 'description' );
will retrieve the value of the "description" argument from the request. The default value is an empty string. The input will have whitespace removed from the left and right ends and any HTML tags will be removed.
$string = JFactory::getApplication->input->getString( 'text', '' );
will retrieve the value of the "text" argument from the request.. The default value is an empty string.
$string = JFactory::getApplication->input->getString( 'template', '<html />' );
will retrieve the value of the "template" argument from the request. The default value is '<html></html>'.
JSON String
$json = JFactory::getApplication->input->json->get( 'var_name' );
Generic and other data types
If the above methods do not meet your needs, there is a small number of additional filter types which you can use by calling the JInput->get method directly. The syntax is:
JFactory::getApplication->input->get( <name>, <default>, <type> );
where:
<name> | the name of the variable to be retrieved (for example, the name of an argument in a URL). |
<default> | the default value. There is no default value that will be returned if no default is specified in the call the JInput->get. If no default is specified and the argument is not present in the request variable then it will return undefined. |
<type> | specifies the data type expected (see below). |
The first three arguments are the same as for the more specific methods described earlier. Only the first argument is mandatory.
Allowed values of the <type>, which is case-insensitive, are as follows:
INT, INTEGER | Equivalent to JInput->getInt. |
UINT | Get an unsigned integer. Equivalent to JInput->getUint. |
FLOAT, DOUBLE | Equivalent to JInput->getFloat. |
BOOL, BOOLEAN | Equivalent to JInput->getBool. |
WORD | Equivalent to JInput->getWord. |
ALNUM | Allow only alphanumeric characters (a-z, A-Z, 0-9). Equivalent to JInput->getAlnum. |
CMD | Equivalent to JInput->getCmd. |
BASE64 | Allow only those characters that could be present in a base64-encoded string (ie. a-z, A-Z, 0-9, /, + and =). Equivalent to JInput->getBase64. |
STRING | Equivalent to JInput->getString. |
ARRAY | Source is not filtered but is cast to array type. |
HTML | A sanitised string. Equivalent to JInput->getHtml. |
PATH | Valid pathname regex that filters out common attacks. For example, any path beginning with a "/" will return an empty string. Simliarly, any path containing "/./" or "/../" will return an empty string. Dots within filenames are okay though. Equivalent to JInput->getPath. |
USERNAME | Removes control characters (0x00 - 0x1F), 0x7F, <, >, ", ', % and &. Equivalent to JInput->getUsername. |
Filter options
All input values can be filtered using JFilterInput->clean.
Filter an array of values.
$data = JFactory::getApplication()->input->post->get('data', array(), 'array'); $filter = JFilterInput::getInstance(); foreach ($data as $value) { $array[] = $filter->clean($value, 'string'); }
For more filter types see JFilterInput source.
Options listed bellow available only in deprecated JRequest library. Allowed values of <options> are as follows (none of these are applied by default):
JREQUEST_NOTRIM | Does not remove whitespace from the start and ends of strings. |
JREQUEST_ALLOWRAW | Does not do any filtering at all. Use with extreme caution. |
JREQUEST_ALLOWHTML | Does not remove HTML from string inputs. |
Masks can be combined by logically OR'ing them. If no filter options are specified, then by default, whitespace is trimmed and HTML is removed.
File uploads
Web servers already have a good deal of security around handling file uploads, but it is still necessary to take additional steps to ensure that file names and paths cannot be abused. A simplified form which requests a file to be uploaded looks like this:
<form action="index.php?option=com_mycomponent/form_handler.php" method="post" enctype="multipart/form-data"> <input type="file" name="Filedata" /> <input type="submit" /> </form>
On clicking the submit button, the browser will upload the file in a POST request, passing control to Joomla which will call "components/com_mycomponent/form_handler.php". This will include code like the following. The variable $somepath must be set to some path where the web server has permission to create files.
// Check to ensure this file is included in Joomla! defined('_JEXEC') or die( 'Restricted access' ); // Get the file data array from the request. $file = JFactory::getApplication->input->get( 'Filedata', '', 'files', 'array' ); // Make the file name safe. jimport('joomla.filesystem.file'); $file['name'] = JFile::makeSafe($file['name']); // Move the uploaded file into a permanent location. if (isset( $file['name'] )) { // Make sure that the full file path is safe. $filepath = JPath::clean( $somepath.'/'.strtolower( $file['name'] ) ); // Move the uploaded file. JFile::upload( $file['tmp_name'], $filepath ); }
Saving a request variable into user state
Because setting a user state variable from a variable in the request is such a common operation, there is an API method to make the task easier. This is generally safe to use because it calls JInput->get to obtain the input from the request, but remember that none of the input filtering calls will protect against SQL injection attempts.
$app = JFactory::getApplication(); $app->getUserStateFromRequest( <key>, <name>, <default>, <type> );
where
<key> | the name of the variable in the user state. |
<name> | the name of the request variable (same as the first argument of a JInput->get call). |
<default> | the default value to be assigned to the user state variable if the request variable is absent. The default is null. |
<type> | the type of variable expected. |
For example, getting an integer variable called 'id' from the request with a default value of 0, then saving it into a session variable called 'myid' can be done like this:
$app = JFactory::getApplication(); $app->getUserStateFromRequest( 'myid', 'id, 0, 'int' );
instead of something like this:
$app = JFactory::getApplication(); $app->setUserState( 'myid', $app->input->getInt( 'id', 0 ) );
Constructing SQL queries
One of the most common forms of attack on web applications is SQL injection, where the aim of the attacker is to change a database query by exploiting a poorly filtered input variable. Injecting modified SQL statements into the database can damage data or reveal private information. It is important to ensure that when SQL statements are constructed, they are correctly escaped and quoted so that bad input data cannot result in a bad SQL statement. You cannot rely on the JInput methods to do this as they are not SQL-aware.
Secure integers and the rest of numeric values
With the MySQL database, numeric fields should not be quoted, so it is important that they be typecast instead. Failure to do this will leave your code vulnerable to an attacker inserting a string containing SQL data.
Depending on the type, numeric types are cast like this:
// For SQL data types: INT, INTEGER, TINYINT, SMALLINT, MEDIUMINT, BIGINT, YEAR $query = 'SELECT * FROM #__table WHERE `id`=' . (int) $id; // For SQL data types: FLOAT, DOUBLE $query = 'SELECT * FROM #__table WHERE `id`=' . (float) $id;
It's a good idea to get into the habit of always typecasting integers like this even if the variable was previously obtained using [[Further information on SQL injection attacks can be found here: http://php.net/manual/en/security.database.sql-injection.php and here: JInput->getInt.
Secure strings
In the examples that follow it is assumed that $db is an instance of a Joomla database object. This can always be obtained from JFactory using
$db = JFactory::getDBO();
Strings should always be escaped before being used in an SQL statement. This is actually very simple as the JDatabase->quote method escapes everything for you. You can also use the JDatabase->escape method directly. The following statements are equivalent:
$query = 'SELECT * FROM #__table WHERE `field` = ' . $db->quote( $db->escape( $field ), false ); $query = 'SELECT * FROM #__table WHERE `field` = ' . $db->quote( $field );
Secure on search
Special attention should be paid to LIKE clauses which contain the % wildcard character as these require special escaping in order to avoid possible denial of service attacks. LIKE clauses can be handled like this:
// Construct the search term by escaping the user-supplied string and, if required, adding the % wildcard characters manually. $search = '%' . $db->escape( $search, true ) . '%' ); // Construct the SQL query, being careful to suppress the default behaviour of Quote so as to prevent double-escaping. $query = 'SELECT * FROM #__table WHERE `field` LIKE ' . $db->quote( $search, false );
Secure dates
If data is to be entered into a datetime column then you can use the Joomla API to ensure a valid date format:
$date = JFactory::getDate( $mydate ); $query = 'UPDATE #__table SET `date` = ' . $db->quote( $date->toMySQL(), false );
Note that it is necessary to suppress database escaping as legitimate dates may contain characters that should not be escaped.
Secure field names
In the comparatively rare case where a field name is a variable, that should also be quoted using an API call:
$query = 'SELECT * FROM #__table WHERE ' . $db->quoteName( $field-name ) . '=' . $db->quote( $field-value );
Secure arrays of integers
When you have an array of ids, typically used for IN() queries, you have to sanitise it also with JArrayHelper::toInteger($cid); before imploding:
... JArrayHelper::toInteger($catId); $query->where($db->quoteName('x.category_id') . ' IN (' . implode(',', $catId) . ')');
Short aliases of Quote and QuoteName
Shorter alternatives to the quote methods may also be used. The following statements are equivalent:
$query = 'SELECT * FROM #__table WHERE ' . $db->quoteName( $field-name ) . '=' . $db->quote( $field-value ); $query = 'SELECT * FROM #__table WHERE ' . $db->qn( $field-name ) . '=' . $db->q( $field-value );
Securing forms
Apart from cleaning input variables as described above, you can also implement a simple technique which makes it more difficult for a cross-site request forgery attack (CSRF) to succeed. This involves adding a randomly-generated unique token to the form which is checked against a copy of the token held in the user's session. By checking that the submitted token matches the one contained in the stored session, it is possible to tie a rendered form to the request variables presented.
In POST forms you should add a hidden token field using:
echo JHTML::_( 'form.token' );
This outputs the token as a hidden form field looking like this:
<input type="hidden" name="8cb24ae69ffd7828ccecbcf06056e6fc" value="1" />
and places a copy of the token into the user's session, for later checking.
If you need to add the token to a URL rather than a form then you can use something like this:
echo JRoute::_( 'index.php?option=com_mycomponent&' . JSession::getFormToken() . '=1' );
In the most common scenario, you will want to check the token following a POST to the form handler. This can be done by adding this line of code to form handler:
JSession::checkToken() or die( JText::_( 'Invalid Token' ) );
If you need to pass the token in a GET request then you can check it like this:
JSession::checkToken( 'get' ) or die( JText::_( 'Invalid Token' ) );
In both cases the code will die if the token is omitted from the request, or the submitted token does not match the session token. If the token is correct but has expired, then JSession::checkToken will automatically redirect to the site front page.
Cleaning filesystem paths
If there is any possibility that a filesystem path might be constructed using data that originated from user input, then the path must be cleaned and checked before being used. This can be done quite simply like this:
JPath::check( $path );
This will raise an error and terminate Joomla if the path contains a ".." or leads to a location outside the Joomla root directory. If you want to deal with the error yourself without terminating the application, then you can use code like this:
$path = JPath::clean( $path ); if (strpos( $path, JPath::clean( JPATH_ROOT ) ) !== 0) { // Handle the error here. }
The JPath:clean method can be used in your own code too. It merely removes leading and trailing whitespace and replace double slashes and backslashes with the standard directory separator.
Cleaning filesystem file names
As with filesystem paths, if there is any possibility that a file name might be constructed using user-originated data, then the file name must be cleaned and checked before use. This can be done like this:
jimport('joomla.filesystem.file'); $clean = JFile::makeSafe( $unclean );
This method removes sequences of two or more "." characters and any character that is not alphabetic, numeric or a dot, dash or underscore character. If there is a leading dot then that is removed too.
- Details
- Written by Timothy Johns
- Category: Website Security
- Hits: 1913
So do you help protect the world against cyber terrorism or satisfy around a dozen ignorant families in San Bernardino? This could also just be a ploy for the U.S. Government to get their hands on the 'key' to unlocking iPhones... and eventally Androids or ANY phone. Scary thought.
I'm on Apple's side, Google's side, Facebook's side, Twitter's side, and the list keeps going. I don't think there's a tech company that could ethically be on the side of the FBI. With the exception of Microsoft, who said they were on the government's side for a week then changed their mind. But that's typical of Microsoft... they're more about the money and politics than they are about the ethics - of pretty much any matter.
- Details
- Written by Timothy Johns
- Category: Website Security
- Hits: 2637
Google Search Console
This used to be Google Webmaster Tools, by the way. Google is pretty quick about noticing malware on your website. Of course, they'll remove it from their search results, but at least they will also tell you about it in the Search Console.Sucuri Free Website Malware & Security Scanner
This is my favorite... that's why I don't mention any others. There may be better solutions, but Sucuri seems to be pretty comprehensive. If you go straight to their website, though, there is no mention of a free malware scan. You have to either search Google to find it or you can go straight here: https://sitecheck.sucuri.net/- Details
- Written by Timothy Johns
- Category: Website Security
- Hits: 2604
Secure integers and the rest of numeric values
With the MySQL database, numeric fields should not be quoted, so it is important that they be typecast instead. Failure to do this will leave your code vulnerable to an attacker inserting a string containing SQL data.
Depending on the type, numeric types are cast like this:
// For SQL data types: INT, INTEGER, TINYINT, SMALLINT, MEDIUMINT, BIGINT, YEAR $query = 'SELECT * FROM #__table WHERE `id`=' . (int) $id; // For SQL data types: FLOAT, DOUBLE $query = 'SELECT * FROM #__table WHERE `id`=' . (float) $id;
Secure strings
In the examples that follow it is assumed that $db is an instance of a Joomla database object. This can always be obtained from JFactory using
$db = JFactory::getDBO();
Strings should always be escaped before being used in an SQL statement. This is actually very simple as the JDatabase->quote method escapes everything for you. You can also use the JDatabase->escape method directly. The following statements are equivalent:
$query = 'SELECT * FROM #__table WHERE `field` = ' . $db->quote( $db->escape( $field ), false ); $query = 'SELECT * FROM #__table WHERE `field` = ' . $db->quote( $field );
Secure on search
Special attention should be paid to LIKE clauses which contain the % wildcard character as these require special escaping in order to avoid possible denial of service attacks. LIKE clauses can be handled like this:
// Construct the search term by escaping the user-supplied string and, if required, adding the % wildcard characters manually. $search = '%' . $db->escape( $search, true ) . '%' ); // Construct the SQL query, being careful to suppress the default behaviour of Quote so as to prevent double-escaping. $query = 'SELECT * FROM #__table WHERE `field` LIKE ' . $db->quote( $search, false );
Secure dates
If data is to be entered into a datetime column then you can use the Joomla API to ensure a valid date format:
$date = JFactory::getDate( $mydate ); $query = 'UPDATE #__table SET `date` = ' . $db->quote( $date->toMySQL(), false );
Note that it is necessary to suppress database escaping as legitimate dates may contain characters that should not be escaped.
Secure field names
In the comparatively rare case where a field name is a variable, that should also be quoted using an API call:
$query = 'SELECT * FROM #__table WHERE ' . $db->quoteName( $field-name ) . '=' . $db->quote( $field-value );
Secure arrays of integers
When you have an array of ids, typically used for IN() queries, you have to sanitise it also with JArrayHelper::toInteger($cid); before imploding:
... JArrayHelper::toInteger($catId); $query->where($db->quoteName('x.category_id') . ' IN (' . implode(',', $catId) . ')');
Short aliases of Quote and QuoteName
Shorter alternatives to the quote methods may also be used. The following statements are equivalent:
$query = 'SELECT * FROM #__table WHERE ' . $db->quoteName( $field-name ) . '=' . $db->quote( $field-value ); $query = 'SELECT * FROM #__table WHERE ' . $db->qn( $field-name ) . '=' . $db->q( $field-value );
Securing forms
Apart from cleaning input variables as described above, you can also implement a simple technique which makes it more difficult for a cross-site request forgery attack (CSRF) to succeed. This involves adding a randomly-generated unique token to the form which is checked against a copy of the token held in the user's session. By checking that the submitted token matches the one contained in the stored session, it is possible to tie a rendered form to the request variables presented.
In POST forms you should add a hidden token field using:
echo JHTML::_( 'form.token' );
This outputs the token as a hidden form field looking like this:
<input type="hidden" name="8cb24ae69ffd7828ccecbcf06056e6fc" value="1" />
and places a copy of the token into the user's session, for later checking.
If you need to add the token to a URL rather than a form then you can use something like this:
echo JRoute::_( 'index.php?option=com_mycomponent&' . JSession::getFormToken() . '=1' );
In the most common scenario, you will want to check the token following a POST to the form handler. This can be done by adding this line of code to form handler:
JRequest::checkToken() or die( JText::_( 'Invalid Token' ) );
If you need to pass the token in a GET request then you can check it like this:
JRequest::checkToken( 'get' ) or die( JText::_( 'Invalid Token' ) );
In both cases the code will die if the token is omitted from the request, or the submitted token does not match the session token. If the token is correct but has expired, then JRequest::checkToken will automatically redirect to the site front page.
Cleaning filesystem paths
If there is any possibility that a filesystem path might be constructed using data that originated from user input, then the path must be cleaned and checked before being used. This can be done quite simply like this:
JPath::check( $path );
This will raise an error and terminate Joomla if the path contains a ".." or leads to a location outside the Joomla root directory. If you want to deal with the error yourself without terminating the application, then you can use code like this:
$path = JPath::clean( $path ); if (strpos( $path, JPath::clean( JPATH_ROOT ) ) !== 0) { // Handle the error here. }
The JPath:clean method can be used in your own code too. It merely removes leading and trailing whitespace and replace double slashes and backslashes with the standard directory separator.
Cleaning filesystem file names
As with filesystem paths, if there is any possibility that a file name might be constructed using user-originated data, then the file name must be cleaned and checked before use. This can be done like this:
jimport('joomla.filesystem.file'); $clean = JFile::makeSafe( $unclean );
This method removes sequences of two or more "." characters and any character that is not alphabetic, numeric or a dot, dash or underscore character. If there is a leading dot then that is removed too.
- Details
- Written by Timothy Johns
- Category: Website Security
- Hits: 3081
If you want to get the item variable from /category/?item=Shoes
You can request the string via...
$item = JRequest::getString('item');
There are also other types and options available. The following is from Joomla.org:
The first three parameters of each of the JRequest get methods are the same. Only the first parameter is mandatory. In general, the format is
JRequest::get<type>( <name>, <default>, <data-source> )
where
<type> | the data type to be retrieved (see below for the types available). |
<name> | the name of the variable to be retrieved (for example, the name of an argument in a URL). |
<default> | the default value. |
<data-source> | specifies where the variable is to be retrieved from (see below). |
The following values for <data-source> are supported:
GET | Data submitted in the query part of the URL. |
POST | Data submitted from form fields. |
METHOD | The same as either GET or POST depending on how the request was made. |
COOKIE | Data submitted in cookies. |
REQUEST | All the GET, POST and COOKIE data combined. This is the default. |
FILES | Information about files uploaded as part of a POST request. |
ENV | Environment variables (platform-specific). |
SERVER | Web server variables (platform-specific). |
Notice that the default is REQUEST, which includes cookie data.
The following sections look at each of the data types in more detail.
Integer
The following will accept an integer. An integer can include a leading minus sign, but a plus sign is not permitted.
$integer = JRequest::getInt( 'id' );
will return the value of the "id" argument from the request (which by default includes all GET, POST and COOKIE data). The default value is zero.
$integer = JRequest::getInt( 'myId', 12, 'COOKIE' );
will return the value of the "myId" variable from a cookie, with a default value of 12.
Floating point number
A floating point number can include a leading minus sign, but not a plus sign. If the number includes a decimal point, then there must be at least one digit before the decimal point. For example,
$float = JRequest::getFloat( 'price' );
will return the value of the 'price' argument from the request. The default is "0.0".
$float = JRequest::getFloat( 'total', 100.00, 'POST' );
will retrieve the value of the 'total' argument from a POST request (but not a GET), with a default value of 100.00.
Boolean value
Any non-zero value is regarded as being true; zero is false.
$boolean = JRequest::getBool( 'show' );
will return false if the value of the 'show' argument in the request is zero, or 1 (true) if the argument is anything else. The default is false. Note that any string argument will result in a return value of true, so calling the above with a URL containing "?show=false" will actually return true!
$boolean = JRequest::getBool( 'hide', true, 'GET' );
will retrieve the value of the 'hide' argument from a GET request (but not a POST), with a default value of true.
Word
A word is defined as being a string of alphabetic characters. The underscore character is permitted as part of a word.
$word = JRequest::getWord( 'search-word' );
will retrieve the value of the 'search-word' argument from the request. The default is an empty string.
$word = JRequest::getWord( 'keyword', '', 'COOKIE' );
will retrieve the value of the 'keyword' variable from a cookie, with the default being an empty string.
Command
A command is like a word but a wider range of characters is permitted. Allowed characters are: all alphanumeric characters, dot, dash (hyphen) and underscore.
$command = JRequest::getCmd( 'option' );
will retrieve the value of the "option" argument from the request. The default value is an empty string.
$command = JRequest::getCmd( 'controller', 'view', 'POST' );
will retrieve the value of the "controller" argument from a POST request (but not a GET), with a default value of 'view'.
String
The string type allows a much wider range of input characters. It also takes an optional fourth argument specifying some additional mask options. See #Filter options for information on the available masks.
$string = JRequest::getString( 'description' );
will retrieve the value of the "description" argument from the request. The default value is an empty string. The input will have whitespace removed from the left and right ends and any HTML tags will be removed.
$string = JRequest::getString( 'text', '', 'METHOD', JREQUEST_NOTRIM );
will retrieve the value of the "text" argument from the request.. The default value is an empty string. Leading and trailing whitespace will not be removed.
$string = JRequest::getString( 'template', '<html />', 'METHOD', JREQUEST_ALLOWHTML );
will retrieve the value of the "template" argument from the request. The default value is '<html></html>'. Leading and trailing whitespace will be removed, but HTML will be permitted.
Generic and other data types
If the above methods do not meet your needs, there is a small number of additional filter types which you can use by calling the JRequest::getVar method directly. The syntax is:
JRequest::getVar( <name>, <default>, <data-source>, <type>, <options> );
where:
<name> | the name of the variable to be retrieved (for example, the name of an argument in a URL). |
<default> | the default value. There is no default value that will be returned if no default is specified in the call the JRequest::getVar. If no default is specified and the argument is not present in the request variable then it will return undefined. |
<data-source> | specifies where the variable is to be retrieved from (one of GET, POST, METHOD, COOKIE, REQUEST, ENV, SERVER; default is REQUEST). |
<type> | specifies the data type expected (see below). |
<options> | an optional bit-field used to specify options for some of the input filters (see below). |
The first three arguments are the same as for the more specific methods described earlier. Only the first argument is mandatory.
Allowed values of the <type>, which is case-insensitive, are as follows:
INT, INTEGER | Equivalent to JRequest::getInt. |
FLOAT, DOUBLE | Equivalent to JRequest::getFloat. |
BOOL, BOOLEAN | Equivalent to JRequest::getBool. |
WORD | Equivalent to JRequest::getWord. |
ALNUM | Allow only alphanumeric characters (a-z, A-Z, 0-9). |
CMD | Equivalent to JRequest::getCmd. |
BASE64 | Allow only those characters that could be present in a base64-encoded string (ie. a-z, A-Z, 0-9, /, + and =). |
STRING | Equivalent to JRequest::getString. |
ARRAY | Source is not filtered but is cast to array type. |
PATH | Valid pathname regex that filters out common attacks. For example, any path beginning with a "/" will return an empty string. Simliarly, any path containing "/./" or "/../" will return an empty string. Dots within filenames are okay though. |
USERNAME | Removes control characters (0x00 - 0x1F), 0x7F, <, >, ", ', % and &. |
Filter options
Allowed values of <options> are as follows (none of these are applied by default):
JREQUEST_NOTRIM | Does not remove whitespace from the start and ends of strings. |
JREQUEST_ALLOWRAW | Does not do any filtering at all. Use with extreme caution. |
JREQUEST_ALLOWHTML | Does not remove HTML from string inputs. |
Masks can be combined by logically OR'ing them. If no filter options are specified, then by default, whitespace is trimmed and HTML is removed.