1 <?php
2 /**
3 * @package Joomla.Legacy
4 * @subpackage Request
5 *
6 * @copyright Copyright (C) 2005 - 2017 Open Source Matters, Inc. All rights reserved.
7 * @license GNU General Public License version 2 or later; see LICENSE.txt
8 */
9
10 defined('JPATH_PLATFORM') or die;
11
12 /**
13 * Create the request global object
14 */
15 $GLOBALS['_JREQUEST'] = array();
16
17 /**
18 * Set the available masks for cleaning variables
19 */
20 const JREQUEST_NOTRIM = 1;
21 const JREQUEST_ALLOWRAW = 2;
22 const JREQUEST_ALLOWHTML = 4;
23
24 JLog::add('JRequest is deprecated.', JLog::WARNING, 'deprecated');
25
26 /**
27 * JRequest Class
28 *
29 * This class serves to provide the Joomla Platform with a common interface to access
30 * request variables. This includes $_POST, $_GET, and naturally $_REQUEST. Variables
31 * can be passed through an input filter to avoid injection or returned raw.
32 *
33 * @since 1.5
34 * @deprecated 1.7 Get the JInput object from the application instead
35 */
36 class JRequest
37 {
38 /**
39 * Gets the full request path.
40 *
41 * @return string
42 *
43 * @since 1.5
44 * @deprecated 1.7
45 */
46 public static function getUri()
47 {
48 $uri = JUri::getInstance();
49
50 return $uri->toString(array('path', 'query'));
51 }
52
53 /**
54 * Gets the request method.
55 *
56 * @return string
57 *
58 * @since 1.5
59 * @deprecated 1.7 Use JInput::getMethod() instead
60 */
61 public static function getMethod()
62 {
63 return strtoupper($_SERVER['REQUEST_METHOD']);
64 }
65
66 /**
67 * Fetches and returns a given variable.
68 *
69 * The default behaviour is fetching variables depending on the
70 * current request method: GET and HEAD will result in returning
71 * an entry from $_GET, POST and PUT will result in returning an
72 * entry from $_POST.
73 *
74 * You can force the source by setting the $hash parameter:
75 *
76 * post $_POST
77 * get $_GET
78 * files $_FILES
79 * cookie $_COOKIE
80 * env $_ENV
81 * server $_SERVER
82 * method via current $_SERVER['REQUEST_METHOD']
83 * default $_REQUEST
84 *
85 * @param string $name Variable name.
86 * @param mixed $default Default value if the variable does not exist.
87 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
88 * @param string $type Return type for the variable, for valid values see {@link JFilterInput::clean()}.
89 * @param integer $mask Filter mask for the variable.
90 *
91 * @return mixed Requested variable.
92 *
93 * @since 1.5
94 * @deprecated 1.7 Use JInput::get()
95 */
96 public static function getVar($name, $default = null, $hash = 'default', $type = 'none', $mask = 0)
97 {
98 // Ensure hash and type are uppercase
99 $hash = strtoupper($hash);
100
101 if ($hash === 'METHOD')
102 {
103 $hash = strtoupper($_SERVER['REQUEST_METHOD']);
104 }
105
106 $type = strtoupper($type);
107 $sig = $hash . $type . $mask;
108
109 // Get the input hash
110 switch ($hash)
111 {
112 case 'GET':
113 $input = &$_GET;
114 break;
115 case 'POST':
116 $input = &$_POST;
117 break;
118 case 'FILES':
119 $input = &$_FILES;
120 break;
121 case 'COOKIE':
122 $input = &$_COOKIE;
123 break;
124 case 'ENV':
125 $input = &$_ENV;
126 break;
127 case 'SERVER':
128 $input = &$_SERVER;
129 break;
130 default:
131 $input = &$_REQUEST;
132 $hash = 'REQUEST';
133 break;
134 }
135
136 if (isset($GLOBALS['_JREQUEST'][$name]['SET.' . $hash]) && ($GLOBALS['_JREQUEST'][$name]['SET.' . $hash] === true))
137 {
138 // Get the variable from the input hash
139 $var = (isset($input[$name]) && $input[$name] !== null) ? $input[$name] : $default;
140 $var = self::_cleanVar($var, $mask, $type);
141 }
142 elseif (!isset($GLOBALS['_JREQUEST'][$name][$sig]))
143 {
144 if (isset($input[$name]) && $input[$name] !== null)
145 {
146 // Get the variable from the input hash and clean it
147 $var = self::_cleanVar($input[$name], $mask, $type);
148
149 $GLOBALS['_JREQUEST'][$name][$sig] = $var;
150 }
151 elseif ($default !== null)
152 {
153 // Clean the default value
154 $var = self::_cleanVar($default, $mask, $type);
155 }
156 else
157 {
158 $var = $default;
159 }
160 }
161 else
162 {
163 $var = $GLOBALS['_JREQUEST'][$name][$sig];
164 }
165
166 return $var;
167 }
168
169 /**
170 * Fetches and returns a given filtered variable. The integer
171 * filter will allow only digits and the - sign to be returned. This is currently
172 * only a proxy function for getVar().
173 *
174 * See getVar() for more in-depth documentation on the parameters.
175 *
176 * @param string $name Variable name.
177 * @param integer $default Default value if the variable does not exist.
178 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
179 *
180 * @return integer Requested variable.
181 *
182 * @since 1.5
183 * @deprecated 1.7
184 */
185 public static function getInt($name, $default = 0, $hash = 'default')
186 {
187 return self::getVar($name, $default, $hash, 'int');
188 }
189
190 /**
191 * Fetches and returns a given filtered variable. The unsigned integer
192 * filter will allow only digits to be returned. This is currently
193 * only a proxy function for getVar().
194 *
195 * See getVar() for more in-depth documentation on the parameters.
196 *
197 * @param string $name Variable name.
198 * @param integer $default Default value if the variable does not exist.
199 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
200 *
201 * @return integer Requested variable.
202 *
203 * @since 1.7
204 * @deprecated 1.7
205 */
206 public static function getUInt($name, $default = 0, $hash = 'default')
207 {
208 return self::getVar($name, $default, $hash, 'uint');
209 }
210
211 /**
212 * Fetches and returns a given filtered variable. The float
213 * filter only allows digits and periods. This is currently
214 * only a proxy function for getVar().
215 *
216 * See getVar() for more in-depth documentation on the parameters.
217 *
218 * @param string $name Variable name.
219 * @param float $default Default value if the variable does not exist.
220 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
221 *
222 * @return float Requested variable.
223 *
224 * @since 1.5
225 * @deprecated 1.7
226 */
227 public static function getFloat($name, $default = 0.0, $hash = 'default')
228 {
229 return self::getVar($name, $default, $hash, 'float');
230 }
231
232 /**
233 * Fetches and returns a given filtered variable. The bool
234 * filter will only return true/false bool values. This is
235 * currently only a proxy function for getVar().
236 *
237 * See getVar() for more in-depth documentation on the parameters.
238 *
239 * @param string $name Variable name.
240 * @param boolean $default Default value if the variable does not exist.
241 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
242 *
243 * @return boolean Requested variable.
244 *
245 * @since 1.5
246 * @deprecated 1.7
247 */
248 public static function getBool($name, $default = false, $hash = 'default')
249 {
250 return self::getVar($name, $default, $hash, 'bool');
251 }
252
253 /**
254 * Fetches and returns a given filtered variable. The word
255 * filter only allows the characters [A-Za-z_]. This is currently
256 * only a proxy function for getVar().
257 *
258 * See getVar() for more in-depth documentation on the parameters.
259 *
260 * @param string $name Variable name.
261 * @param string $default Default value if the variable does not exist.
262 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
263 *
264 * @return string Requested variable.
265 *
266 * @since 1.5
267 * @deprecated 1.7
268 */
269 public static function getWord($name, $default = '', $hash = 'default')
270 {
271 return self::getVar($name, $default, $hash, 'word');
272 }
273
274 /**
275 * Cmd (Word and Integer0 filter
276 *
277 * Fetches and returns a given filtered variable. The cmd
278 * filter only allows the characters [A-Za-z0-9.-_]. This is
279 * currently only a proxy function for getVar().
280 *
281 * See getVar() for more in-depth documentation on the parameters.
282 *
283 * @param string $name Variable name
284 * @param string $default Default value if the variable does not exist
285 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD)
286 *
287 * @return string Requested variable
288 *
289 * @since 1.5
290 * @deprecated 1.7
291 */
292 public static function getCmd($name, $default = '', $hash = 'default')
293 {
294 return self::getVar($name, $default, $hash, 'cmd');
295 }
296
297 /**
298 * Fetches and returns a given filtered variable. The string
299 * filter deletes 'bad' HTML code, if not overridden by the mask.
300 * This is currently only a proxy function for getVar().
301 *
302 * See getVar() for more in-depth documentation on the parameters.
303 *
304 * @param string $name Variable name
305 * @param string $default Default value if the variable does not exist
306 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD)
307 * @param integer $mask Filter mask for the variable
308 *
309 * @return string Requested variable
310 *
311 * @since 1.5
312 * @deprecated 1.7
313 */
314 public static function getString($name, $default = '', $hash = 'default', $mask = 0)
315 {
316 // Cast to string, in case JREQUEST_ALLOWRAW was specified for mask
317 return (string) self::getVar($name, $default, $hash, 'string', $mask);
318 }
319
320 /**
321 * Set a variable in one of the request variables.
322 *
323 * @param string $name Name
324 * @param string $value Value
325 * @param string $hash Hash
326 * @param boolean $overwrite Boolean
327 *
328 * @return string Previous value
329 *
330 * @since 1.5
331 * @deprecated 1.7
332 */
333 public static function setVar($name, $value = null, $hash = 'method', $overwrite = true)
334 {
335 // If overwrite is true, makes sure the variable hasn't been set yet
336 if (!$overwrite && array_key_exists($name, $_REQUEST))
337 {
338 return $_REQUEST[$name];
339 }
340
341 // Clean global request var
342 $GLOBALS['_JREQUEST'][$name] = array();
343
344 // Get the request hash value
345 $hash = strtoupper($hash);
346
347 if ($hash === 'METHOD')
348 {
349 $hash = strtoupper($_SERVER['REQUEST_METHOD']);
350 }
351
352 $previous = array_key_exists($name, $_REQUEST) ? $_REQUEST[$name] : null;
353
354 switch ($hash)
355 {
356 case 'GET':
357 $_GET[$name] = $value;
358 $_REQUEST[$name] = $value;
359 break;
360 case 'POST':
361 $_POST[$name] = $value;
362 $_REQUEST[$name] = $value;
363 break;
364 case 'COOKIE':
365 $_COOKIE[$name] = $value;
366 $_REQUEST[$name] = $value;
367 break;
368 case 'FILES':
369 $_FILES[$name] = $value;
370 break;
371 case 'ENV':
372 $_ENV[$name] = $value;
373 break;
374 case 'SERVER':
375 $_SERVER[$name] = $value;
376 break;
377 }
378
379 // Mark this variable as 'SET'
380 $GLOBALS['_JREQUEST'][$name]['SET.' . $hash] = true;
381 $GLOBALS['_JREQUEST'][$name]['SET.REQUEST'] = true;
382
383 return $previous;
384 }
385
386 /**
387 * Fetches and returns a request array.
388 *
389 * The default behaviour is fetching variables depending on the
390 * current request method: GET and HEAD will result in returning
391 * $_GET, POST and PUT will result in returning $_POST.
392 *
393 * You can force the source by setting the $hash parameter:
394 *
395 * post $_POST
396 * get $_GET
397 * files $_FILES
398 * cookie $_COOKIE
399 * env $_ENV
400 * server $_SERVER
401 * method via current $_SERVER['REQUEST_METHOD']
402 * default $_REQUEST
403 *
404 * @param string $hash to get (POST, GET, FILES, METHOD).
405 * @param integer $mask Filter mask for the variable.
406 *
407 * @return mixed Request hash.
408 *
409 * @since 1.5
410 * @deprecated 1.7 Use JInput::get()
411 * @see JInput
412 */
413 public static function get($hash = 'default', $mask = 0)
414 {
415 $hash = strtoupper($hash);
416
417 if ($hash === 'METHOD')
418 {
419 $hash = strtoupper($_SERVER['REQUEST_METHOD']);
420 }
421
422 switch ($hash)
423 {
424 case 'GET':
425 $input = $_GET;
426 break;
427
428 case 'POST':
429 $input = $_POST;
430 break;
431
432 case 'FILES':
433 $input = $_FILES;
434 break;
435
436 case 'COOKIE':
437 $input = $_COOKIE;
438 break;
439
440 case 'ENV':
441 $input = &$_ENV;
442 break;
443
444 case 'SERVER':
445 $input = &$_SERVER;
446 break;
447
448 default:
449 $input = $_REQUEST;
450 break;
451 }
452
453 return self::_cleanVar($input, $mask);
454 }
455
456 /**
457 * Sets a request variable.
458 *
459 * @param array $array An associative array of key-value pairs.
460 * @param string $hash The request variable to set (POST, GET, FILES, METHOD).
461 * @param boolean $overwrite If true and an existing key is found, the value is overwritten, otherwise it is ignored.
462 *
463 * @return void
464 *
465 * @since 1.5
466 * @deprecated 1.7 Use JInput::set()
467 */
468 public static function set($array, $hash = 'default', $overwrite = true)
469 {
470 foreach ($array as $key => $value)
471 {
472 self::setVar($key, $value, $hash, $overwrite);
473 }
474 }
475
476 /**
477 * Checks for a form token in the request.
478 *
479 * Use in conjunction with JHtml::_('form.token').
480 *
481 * @param string $method The request method in which to look for the token key.
482 *
483 * @return boolean True if found and valid, false otherwise.
484 *
485 * @since 1.5
486 * @deprecated 1.7 Use JSession::checkToken() instead. Note that 'default' has to become 'request'.
487 */
488 public static function checkToken($method = 'post')
489 {
490 if ($method == 'default')
491 {
492 $method = 'request';
493 }
494
495 return JSession::checkToken($method);
496 }
497
498 /**
499 * Clean up an input variable.
500 *
501 * @param mixed $var The input variable.
502 * @param integer $mask Filter bit mask.
503 * 1 = no trim: If this flag is cleared and the input is a string, the string will have leading and trailing
504 * whitespace trimmed.
505 * 2 = allow_raw: If set, no more filtering is performed, higher bits are ignored.
506 * 4 = allow_html: HTML is allowed, but passed through a safe HTML filter first. If set, no more filtering
507 * is performed. If no bits other than the 1 bit is set, a strict filter is applied.
508 * @param string $type The variable type {@see JFilterInput::clean()}.
509 *
510 * @return mixed Same as $var
511 *
512 * @since 1.5
513 * @deprecated 1.7
514 */
515 protected static function _cleanVar($var, $mask = 0, $type = null)
516 {
517 // If the no trim flag is not set, trim the variable
518 if (!($mask & 1) && is_string($var))
519 {
520 $var = trim($var);
521 }
522
523 // Now we handle input filtering
524 if ($mask & 2)
525 {
526 // If the allow raw flag is set, do not modify the variable
527 }
528 elseif ($mask & 4)
529 {
530 // If the allow HTML flag is set, apply a safe HTML filter to the variable
531 $safeHtmlFilter = JFilterInput::getInstance(null, null, 1, 1);
532 $var = $safeHtmlFilter->clean($var, $type);
533 }
534 else
535 {
536 // Since no allow flags were set, we will apply the most strict filter to the variable
537 // $tags, $attr, $tag_method, $attr_method, $xss_auto use defaults.
538 $noHtmlFilter = JFilterInput::getInstance();
539 $var = $noHtmlFilter->clean($var, $type);
540 }
541
542 return $var;
543 }
544 }
545