02 Feb 2012
Joomla Tutorials
(0 votes)

One of the most important aspects of extension development is gathering input from the user and manipulating it in a meaningful way. Many times, you will collect data with a form and then store it into a database table. Other times, you will decide how to order or display information to the user based on the query string of the URL. In either instance, you are taking and acting upon input from the user. Obviously, you hope that your users have good intentions in using your extension, but unfortunately, the reality is that not everyone has your best interests in mind. For that reason, you must be careful about the input that you allow into your extension.

JRequest to the rescue!

Joomla!, of course, provides some excellent help when it comes to handling user input. The JRequest class is very useful in filtering your input to help protect against hacks such as Cross Site Scripting (XSS) and SQL Injection. If you are already familiar with PHP, you may be tempted to jump in and start working with raw request variables like $_POST and $_GET. Those will certainly still work in Joomla!, but you would be better off to let JRequest take care of the filtering for you.

Let's examine some of JRequest's basic usage:

## Accessing raw request variables ##

$post	= $_POST;
$myvar	= $_REQUEST['myvar'];


## Accessing same variable through JRequest ##

$post	= JRequest::get('post');
$myvar	= JRequest::getVar('myvar');

The statements do not appear to be much different, but the second set of variables has been automatically filtered to prevent any basic XSS attempts. The real power of JRequest comes with the optional parameters, however.

## Set a default value for $color ##

$color = JRequest::getVar('color', 'blue');



## Explicitly declare which request method to use ##

$color = JRequest::getVar('color', 'orange', 'post');

With the above line, we have asked for the 'color' variable from the $_POST array. You can also choose from $_GET, $_REQUEST, $_FILES, or $_COOKIES. The fourth parameter is also extremely useful. Using it, you can declare the datatype that you are expecting for the variable.

## Grab 'id' from the $_GET array and   ## force it to be an integer

$id = JRequest::getVar('id', '0', 'get', 'int');

Simply by forcing the data type, you can very easily prevent some types of attacks. For example:

## Get 'id' from request ##

$id = $_GET['id'];


## Grab database object ##

$db = JFactory::getDBO();
	

## Query to select single user object ##

$query = "SELECT * FROM users WHERE id = ".$id;

$db->setQuery($query);

$user = $db->loadObject();

In most cases, the above code would work as expected. However, you may have problems if someone tries to slip through a value for 'id' so that your SQL query actually reads "SELECT * FROM users WHERE id = 1; DROP TABLE users;" If $id had been forced to be an integer, the offending string would have been converted to 0 and the threat removed. The list of the possible data types can found in the documentation for JFilterInput::clean(). There are also a handful of shortcut functions for data type declaration (i.e., getBool(), getCmd(), getFloat(), getInt(), getString(), and getWord()).

There are several other functions available in JRequest. The last two we will look at give you the ability to set request variables:

$array = array('key1' => 'value1', 'key2' => 'value2', 'key3' => 'value3');

JRequest::set($array, 'get');


## Now $_GET['key1'] == 'value1', etc ##


$color = 'blue';

JRequest::setVar('color', $color, 'post');


## Now $_POST['color'] == 'blue' ##

As you can see, JRequest provides quite a few useful methods for dealing with request variables. This has not been an exhaustive tutorial, but just some basic examples to get you started. It should also be noted that JRequest cannot protect against all forms of attacks. You are still responsible for handling your input carefully. Full documentation about JRequest and all its methods can be found here. Read it and become familiar with it as this is one essential Joomla! library that you need to know.

More in this category: « Understand Joomla User Levels and Permissions - Joomla Tutorial How to Add CSS/Javascript to Your Joomla Extension - Joomla Tutorial »
Login to post comments

advertise with us

Boost your traffic and expand your pool of potential customers

8000 active members

Ready to join Now?

CMS Portal - The free marketplace for submitting Joomla, Drupal, Wordpress, Magento, phpBB, Prestashop, vBulletin, Opencart Templates and more.

FOLLOW US

Email Newsletters

Make sure you don't miss interesting happenings by joining our newsletter program.
konya escort eskisehir escort canakkale escort samsun escort balikesir escort aydin escort hatay escort kahramanmaras escort giresun escort tokat escort
Joomla Templates Free Joomla Templates Virtuemart Templates K2 Templates JoomShopping Templates HikaShop Templates SobiPro Templates OpenCart Themes
Magento Themes Magento Extensions Free Magento Extensions Prestashop Themes Prestashop Modules Magento 2 Themes
bettilt
tempobet