Source code for file /joomla/environment/request.php
Documentation is available at request.php
* @version $Id: request.php 6634 2007-02-15 18:27:18Z Jinx $
* @package Joomla.Framework
* @subpackage Environment
* @copyright Copyright (C) 2005 - 2007 Open Source Matters. All rights reserved.
* @license GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
// Check to ensure this file is within the rest of the framework
jimport('joomla.utilities.functions');
* Create the request global object
$GLOBALS['_JREQUEST'] =
array();
* Set the available masks for cleaning variables
define("JREQUEST_NOTRIM" , 1);
define("JREQUEST_ALLOWRAW" , 2);
define("JREQUEST_ALLOWHTML", 4);
* This class serves to provide the Joomla Framework with a common interface to access
* request variables. This includes $_POST, $_GET, and naturally $_REQUEST. Variables
* can be passed through an input filter to avoid injection or returned raw.
* @package Joomla.Framework
* @subpackage Environment
* Gets the full request path
* Fetches and returns a given variable.
* The default behaviour is fetching variables depending on the
* current request method: GET and HEAD will result in returning
* an entry from $_GET, POST and PUT will result in returning an
* You can force the source by setting the $hash parameter:
* method via current $_SERVER['REQUEST_METHOD']
* @param string $name Variable name
* @param string $default Default value if the variable does not exist
* @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD)
* @param string $type Return type for the variable (INT, FLOAT, STRING, BOOLEAN, ARRAY)
* @param int $mask Filter mask for the variable
* @return mixed Requested variable
function getVar($name, $default =
null, $hash =
'default', $type =
'none', $mask =
0)
// Ensure hash and type are uppercase
if ($hash ===
'METHOD') {
if (isset
($GLOBALS['_JREQUEST'][$name]) &&
($GLOBALS['_JREQUEST'][$name] ==
'SET')) {
// Get the variable from the input hash
$var =
(isset
($input[$name]) &&
$input[$name] !==
null) ?
$input[$name] :
$default;
elseif (!isset
($GLOBALS['_JREQUEST'][$name][$sig]))
$var =
(isset
($input[$name]) &&
$input[$name] !==
null) ?
$input[$name] :
$default;
// Get the variable from the input hash
// Handle magic quotes compatability
$GLOBALS['_JREQUEST'][$name][$sig] =
$var;
$var =
$GLOBALS['_JREQUEST'][$name][$sig];
function setVar($name, $value =
null, $hash =
'default', $overwrite =
true)
//If overwrite is true, makes sure the variable hasn't been set yet
if(!$overwrite && isset
($_REQUEST[$name])) {
// Clean global request var
$GLOBALS['_JREQUEST'][$name] =
'SET';
// Get the request hash value
if ($hash ===
'METHOD') {
$_REQUEST[$name] =
$value;
$_REQUEST[$name] =
$value;
$_REQUEST[$name] =
$value;
$_COOKIE[$name] =
$value;
$_REQUEST[$name] =
$value;
$_REQUEST[$name] =
$value;
* Fetches and returns a request array.
* The default behaviour is fetching variables depending on the
* current request method: GET and HEAD will result in returning
* $_GET, POST and PUT will result in returning $_POST.
* You can force the source by setting the $hash parameter:
* method via current $_SERVER['REQUEST_METHOD']
* @param string $hash to get (POST, GET, FILES, METHOD)
* @param int $mask Filter mask for the variable
* @return mixed Request hash
function get($hash =
'default', $mask =
0)
$signature =
$hash.
$mask;
if (!isset
($hashes[$signature]))
if ($hash ===
'METHOD') {
// Handle magic quotes compatability
$hashes[$signature] =
&$result;
return $hashes[$signature];
function set($array, $hash =
'default', $overwrite =
true)
foreach($array as $key =>
$value) {
* Cleans the request from script injection.
if (isset
( $_SESSION )) {
if (isset
( $_SESSION )) {
foreach ($GLOBALS as $key =>
$value) {
if ( $key !=
'GLOBALS' ) {
unset
( $GLOBALS [ $key ] );
if (isset
( $SESSION )) {
// Make sure the request hash is clean on file inclusion
$GLOBALS['_JREQUEST'] =
array();
* Adds an array to the GLOBALS array and checks that the GLOBALS variable is not being attacked
* @param array $array Array to clean
* @param boolean True if the array is to be added to the GLOBALS
static $banned =
array( '_files', '_env', '_get', '_post', '_cookie', '_server', '_session', 'globals' );
foreach ($array as $key =>
$value)
// PHP GLOBALS injection bug
$failed =
in_array( strtolower( $key ), $banned );
// PHP Zend_Hash_Del_Key_Or_Index bug
die( 'Illegal variable <b>' .
implode( '</b> or <b>', $banned ) .
'</b> passed to script.' );
function _cleanVar($var, $mask=
0, $type=
null)
// Static input filters for specific settings
static $noHtmlFilter =
null;
static $safeHtmlFilter =
null;
// If the no trim flag is not set, trim the variable
if (!($mask & 1) &&
is_string($var)) {
// Now we handle input filtering
// If the allow raw flag is set, do not modify the variable
// If the allow html flag is set, apply a safe html filter to the variable
if (is_null($safeHtmlFilter)) {
$safeHtmlFilter =
& JInputFilter::getInstance(null, null, 1, 1);
$var =
$safeHtmlFilter->clean($var, $type);
// Since no allow flags were set, we will apply the most strict filter to the variable
$var =
$noHtmlFilter->clean($var, $type);
* Strips slashes recursively on an array
* @param array $array Array of (nested arrays of) strings
* @return array The input array with stripshlashes applied to it