Top Left Text cha

Web & App Development

Apparently the $_GET PHP function is not safe to use.  

If you want to get the item variable from /category/?item=Shoes

You can request the string via...

$item = JRequest::getString('item');

There are also other types and options available.  The following is from Joomla.org:

The first three parameters of each of the JRequest get methods are the same. Only the first parameter is mandatory. In general, the format is

    JRequest::get<type>( <name>, <default>, <data-source> )

where

<type> the data type to be retrieved (see below for the types available).
<name> the name of the variable to be retrieved (for example, the name of an argument in a URL).
<default> the default value.
<data-source> specifies where the variable is to be retrieved from (see below).

The following values for <data-source> are supported:

GET Data submitted in the query part of the URL.
POST Data submitted from form fields.
METHOD The same as either GET or POST depending on how the request was made.
COOKIE Data submitted in cookies.
REQUEST All the GET, POST and COOKIE data combined. This is the default.
FILES Information about files uploaded as part of a POST request.
ENV Environment variables (platform-specific).
SERVER Web server variables (platform-specific).

Notice that the default is REQUEST, which includes cookie data.

The following sections look at each of the data types in more detail.

Integer

The following will accept an integer. An integer can include a leading minus sign, but a plus sign is not permitted.

$integer = JRequest::getInt( 'id' );

will return the value of the "id" argument from the request (which by default includes all GET, POST and COOKIE data). The default value is zero.

$integer = JRequest::getInt( 'myId', 12, 'COOKIE' );

will return the value of the "myId" variable from a cookie, with a default value of 12.

Floating point number

A floating point number can include a leading minus sign, but not a plus sign. If the number includes a decimal point, then there must be at least one digit before the decimal point. For example,

$float = JRequest::getFloat( 'price' );

will return the value of the 'price' argument from the request. The default is "0.0".

$float = JRequest::getFloat( 'total', 100.00, 'POST' );

will retrieve the value of the 'total' argument from a POST request (but not a GET), with a default value of 100.00.

Boolean value

Any non-zero value is regarded as being true; zero is false.

$boolean = JRequest::getBool( 'show' );

will return false if the value of the 'show' argument in the request is zero, or 1 (true) if the argument is anything else. The default is false. Note that any string argument will result in a return value of true, so calling the above with a URL containing "?show=false" will actually return true!

$boolean = JRequest::getBool( 'hide', true, 'GET' );

will retrieve the value of the 'hide' argument from a GET request (but not a POST), with a default value of true.

Word

A word is defined as being a string of alphabetic characters. The underscore character is permitted as part of a word.

$word = JRequest::getWord( 'search-word' );

will retrieve the value of the 'search-word' argument from the request. The default is an empty string.

$word = JRequest::getWord( 'keyword', '', 'COOKIE' );

will retrieve the value of the 'keyword' variable from a cookie, with the default being an empty string.

Command

A command is like a word but a wider range of characters is permitted. Allowed characters are: all alphanumeric characters, dot, dash (hyphen) and underscore.

$command = JRequest::getCmd( 'option' );

will retrieve the value of the "option" argument from the request. The default value is an empty string.

$command = JRequest::getCmd( 'controller', 'view', 'POST' );

will retrieve the value of the "controller" argument from a POST request (but not a GET), with a default value of 'view'.

String

The string type allows a much wider range of input characters. It also takes an optional fourth argument specifying some additional mask options. See #Filter options for information on the available masks.

$string = JRequest::getString( 'description' );

will retrieve the value of the "description" argument from the request. The default value is an empty string. The input will have whitespace removed from the left and right ends and any HTML tags will be removed.

$string = JRequest::getString( 'text', '', 'METHOD', JREQUEST_NOTRIM );

will retrieve the value of the "text" argument from the request.. The default value is an empty string. Leading and trailing whitespace will not be removed.

$string = JRequest::getString( 'template', '<html />', 'METHOD', JREQUEST_ALLOWHTML );

will retrieve the value of the "template" argument from the request. The default value is '<html></html>'. Leading and trailing whitespace will be removed, but HTML will be permitted.

Generic and other data types

If the above methods do not meet your needs, there is a small number of additional filter types which you can use by calling the JRequest::getVar method directly. The syntax is:

JRequest::getVar( <name>, <default>, <data-source>, <type>, <options> );

where:

<name> the name of the variable to be retrieved (for example, the name of an argument in a URL).
<default> the default value. There is no default value that will be returned if no default is specified in the call the JRequest::getVar. If no default is specified and the argument is not present in the request variable then it will return undefined.
<data-source> specifies where the variable is to be retrieved from (one of GET, POST, METHOD, COOKIE, REQUEST, ENV, SERVER; default is REQUEST).
<type> specifies the data type expected (see below).
<options> an optional bit-field used to specify options for some of the input filters (see below).

The first three arguments are the same as for the more specific methods described earlier. Only the first argument is mandatory.

Allowed values of the <type>, which is case-insensitive, are as follows:

INT, INTEGER Equivalent to JRequest::getInt.
FLOAT, DOUBLE Equivalent to JRequest::getFloat.
BOOL, BOOLEAN Equivalent to JRequest::getBool.
WORD Equivalent to JRequest::getWord.
ALNUM Allow only alphanumeric characters (a-z, A-Z, 0-9).
CMD Equivalent to JRequest::getCmd.
BASE64 Allow only those characters that could be present in a base64-encoded string (ie. a-z, A-Z, 0-9, /, + and =).
STRING Equivalent to JRequest::getString.
ARRAY Source is not filtered but is cast to array type.
PATH Valid pathname regex that filters out common attacks. For example, any path beginning with a "/" will return an empty string. Simliarly, any path containing "/./" or "/../" will return an empty string. Dots within filenames are okay though.
USERNAME Removes control characters (0x00 - 0x1F), 0x7F, <, >, ", ', % and &.

Filter options

Allowed values of <options> are as follows (none of these are applied by default):

JREQUEST_NOTRIM Does not remove whitespace from the start and ends of strings.
JREQUEST_ALLOWRAW Does not do any filtering at all. Use with extreme caution.
JREQUEST_ALLOWHTML Does not remove HTML from string inputs.

Masks can be combined by logically OR'ing them. If no filter options are specified, then by default, whitespace is trimmed and HTML is removed.

  • No comments found

Leave your comments

Post comment as a guest

0
Your comments are subjected to administrator's moderation.
X