Failing to sanitize user's input can lead to unsecure web applications. It's particularly important to ensure that values in $_POST and $_GET are never blindly used in our code without proper validation checks.

The class JRequest of Joomla! framework offers some methods to facilitate validation and filtering of user's input.

With getVar() we can read a variable from $_POST, $_GET and other PHP superglobals.

Syntax

JRequest::getVar(name, default, hash, type, mask)

• name: the variable name.
• default: this value is returned when the variable doesn't exist.
• hash: determines the superglobal from which the variable will be read. Possible values are 'GET', 'POST', 'FILES', 'COOKIE', 'ENV', 'SERVER', 'REQUEST' (default).
• type: variable type.
• mask: filter mask (see examples).

Other methods (getInt(), getFloat(), getString(), getWord(), getCmd() ), are available as simple shortcuts, they all internally call getVar().

Examples

Here is a simple form with an input field named 'test_input'. Enter anything you like and press Submit, then chek out the column Result to see how your input is processed and filtered by various JRequest methods.

Notes

1. Alphanumeric and special characters allowed. HTML is stripped, leading and trailing spaces are trimmed.
2. HTML allowed (some tags are still filtered to prevent XSS attacks). Use JREQUEST_ALLOWRAW to allow any HTML tag (usually not recommended)
3. Only digits (0-9) and minus sign are allowed. Result is converted to integer.
4. Only A to Z (lowercase or uppercase), 0-9 and '-' (hyphen), '.' (dot), '_' (underscore) are allowed, all the other characters are stripped.
5. Only A to Z (lowercase or uppercase) and '_' (underscore) are allowed, all the other characters are stripped.
6. Only digits (0-9), minus sign and '.' (period) are allowed. Result is converted to float.