1<?php 2/** 3 * @package Joomla.Legacy 4 * @subpackage Request 5 * 6 * @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All rights reserved. 7 * @license GNU General Public License version 2 or later; see LICENSE.txt 8 */ 9 10defined('JPATH_PLATFORM') or die; 11 12/** 13 * Create the request global object 14 */ 15$GLOBALS['_JREQUEST'] = array(); 16 17/** 18 * Set the available masks for cleaning variables 19 */ 20const JREQUEST_NOTRIM = 1; 21const JREQUEST_ALLOWRAW = 2; 22const JREQUEST_ALLOWHTML = 4; 23 24JLog::add('JRequest is deprecated.', JLog::WARNING, 'deprecated'); 25 26/** 27 * JRequest Class 28 * 29 * This class serves to provide the Joomla Platform with a common interface to access 30 * request variables. This includes $_POST, $_GET, and naturally $_REQUEST. Variables 31 * can be passed through an input filter to avoid injection or returned raw. 32 * 33 * @since 1.5 34 * @deprecated 1.7 Get the JInput object from the application instead 35 */ 36class JRequest 37{ 38 /** 39 * Gets the full request path. 40 * 41 * @return string 42 * 43 * @since 1.5 44 * @deprecated 1.7 45 */ 46 public static function getUri() 47 { 48 $uri = JUri::getInstance(); 49 50 return $uri->toString(array('path', 'query')); 51 } 52 53 /** 54 * Gets the request method. 55 * 56 * @return string 57 * 58 * @since 1.5 59 * @deprecated 1.7 Use JInput::getMethod() instead 60 */ 61 public static function getMethod() 62 { 63 return strtoupper($_SERVER['REQUEST_METHOD']); 64 } 65 66 /** 67 * Fetches and returns a given variable. 68 * 69 * The default behaviour is fetching variables depending on the 70 * current request method: GET and HEAD will result in returning 71 * an entry from $_GET, POST and PUT will result in returning an 72 * entry from $_POST. 73 * 74 * You can force the source by setting the $hash parameter: 75 * 76 * post $_POST 77 * get $_GET 78 * files $_FILES 79 * cookie $_COOKIE 80 * env $_ENV 81 * server $_SERVER 82 * method via current $_SERVER['REQUEST_METHOD'] 83 * default $_REQUEST 84 * 85 * @param string $name Variable name. 86 * @param mixed $default Default value if the variable does not exist. 87 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD). 88 * @param string $type Return type for the variable, for valid values see {@link JFilterInput::clean()}. 89 * @param integer $mask Filter mask for the variable. 90 * 91 * @return mixed Requested variable. 92 * 93 * @since 1.5 94 * @deprecated 1.7 Use JInput::get() 95 */ 96 public static function getVar($name, $default = null, $hash = 'default', $type = 'none', $mask = 0) 97 { 98 // Ensure hash and type are uppercase 99 $hash = strtoupper($hash); 100 101 if ($hash === 'METHOD') 102 { 103 $hash = strtoupper($_SERVER['REQUEST_METHOD']); 104 } 105 106 $type = strtoupper($type); 107 $sig = $hash . $type . $mask; 108 109 // Get the input hash 110 switch ($hash) 111 { 112 case 'GET': 113 $input = &$_GET; 114 break; 115 case 'POST': 116 $input = &$_POST; 117 break; 118 case 'FILES': 119 $input = &$_FILES; 120 break; 121 case 'COOKIE': 122 $input = &$_COOKIE; 123 break; 124 case 'ENV': 125 $input = &$_ENV; 126 break; 127 case 'SERVER': 128 $input = &$_SERVER; 129 break; 130 default: 131 $input = &$_REQUEST; 132 $hash = 'REQUEST'; 133 break; 134 } 135 136 if (isset($GLOBALS['_JREQUEST'][$name]['SET.' . $hash]) && ($GLOBALS['_JREQUEST'][$name]['SET.' . $hash] === true)) 137 { 138 // Get the variable from the input hash 139 $var = (isset($input[$name]) && $input[$name] !== null) ? $input[$name] : $default; 140 $var = self::_cleanVar($var, $mask, $type); 141 } 142 elseif (!isset($GLOBALS['_JREQUEST'][$name][$sig])) 143 { 144 if (isset($input[$name])) 145 { 146 // Get the variable from the input hash and clean it 147 $var = self::_cleanVar($input[$name], $mask, $type); 148 149 $GLOBALS['_JREQUEST'][$name][$sig] = $var; 150 } 151 elseif ($default !== null) 152 { 153 // Clean the default value 154 $var = self::_cleanVar($default, $mask, $type); 155 } 156 else 157 { 158 $var = $default; 159 } 160 } 161 else 162 { 163 $var = $GLOBALS['_JREQUEST'][$name][$sig]; 164 } 165 166 return $var; 167 } 168 169 /** 170 * Fetches and returns a given filtered variable. The integer 171 * filter will allow only digits and the - sign to be returned. This is currently 172 * only a proxy function for getVar(). 173 * 174 * See getVar() for more in-depth documentation on the parameters. 175 * 176 * @param string $name Variable name. 177 * @param integer $default Default value if the variable does not exist. 178 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD). 179 * 180 * @return integer Requested variable. 181 * 182 * @since 1.5 183 * @deprecated 1.7 184 */ 185 public static function getInt($name, $default = 0, $hash = 'default') 186 { 187 return self::getVar($name, $default, $hash, 'int'); 188 } 189 190 /** 191 * Fetches and returns a given filtered variable. The unsigned integer 192 * filter will allow only digits to be returned. This is currently 193 * only a proxy function for getVar(). 194 * 195 * See getVar() for more in-depth documentation on the parameters. 196 * 197 * @param string $name Variable name. 198 * @param integer $default Default value if the variable does not exist. 199 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD). 200 * 201 * @return integer Requested variable. 202 * 203 * @since 1.7 204 * @deprecated 1.7 205 */ 206 public static function getUInt($name, $default = 0, $hash = 'default') 207 { 208 return self::getVar($name, $default, $hash, 'uint'); 209 } 210 211 /** 212 * Fetches and returns a given filtered variable. The float 213 * filter only allows digits and periods. This is currently 214 * only a proxy function for getVar(). 215 * 216 * See getVar() for more in-depth documentation on the parameters. 217 * 218 * @param string $name Variable name. 219 * @param float $default Default value if the variable does not exist. 220 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD). 221 * 222 * @return float Requested variable. 223 * 224 * @since 1.5 225 * @deprecated 1.7 226 */ 227 public static function getFloat($name, $default = 0.0, $hash = 'default') 228 { 229 return self::getVar($name, $default, $hash, 'float'); 230 } 231 232 /** 233 * Fetches and returns a given filtered variable. The bool 234 * filter will only return true/false bool values. This is 235 * currently only a proxy function for getVar(). 236 * 237 * See getVar() for more in-depth documentation on the parameters. 238 * 239 * @param string $name Variable name. 240 * @param boolean $default Default value if the variable does not exist. 241 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD). 242 * 243 * @return boolean Requested variable. 244 * 245 * @since 1.5 246 * @deprecated 1.7 247 */ 248 public static function getBool($name, $default = false, $hash = 'default') 249 { 250 return self::getVar($name, $default, $hash, 'bool'); 251 } 252 253 /** 254 * Fetches and returns a given filtered variable. The word 255 * filter only allows the characters [A-Za-z_]. This is currently 256 * only a proxy function for getVar(). 257 * 258 * See getVar() for more in-depth documentation on the parameters. 259 * 260 * @param string $name Variable name. 261 * @param string $default Default value if the variable does not exist. 262 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD). 263 * 264 * @return string Requested variable. 265 * 266 * @since 1.5 267 * @deprecated 1.7 268 */ 269 public static function getWord($name, $default = '', $hash = 'default') 270 { 271 return self::getVar($name, $default, $hash, 'word'); 272 } 273 274 /** 275 * Cmd (Word and Integer) filter 276 * 277 * Fetches and returns a given filtered variable. The cmd 278 * filter only allows the characters [A-Za-z0-9.-_]. This is 279 * currently only a proxy function for getVar(). 280 * 281 * See getVar() for more in-depth documentation on the parameters. 282 * 283 * @param string $name Variable name 284 * @param string $default Default value if the variable does not exist 285 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD) 286 * 287 * @return string Requested variable 288 * 289 * @since 1.5 290 * @deprecated 1.7 291 */ 292 public static function getCmd($name, $default = '', $hash = 'default') 293 { 294 return self::getVar($name, $default, $hash, 'cmd'); 295 } 296 297 /** 298 * Fetches and returns a given filtered variable. The string 299 * filter deletes 'bad' HTML code, if not overridden by the mask. 300 * This is currently only a proxy function for getVar(). 301 * 302 * See getVar() for more in-depth documentation on the parameters. 303 * 304 * @param string $name Variable name 305 * @param string $default Default value if the variable does not exist 306 * @param string $hash Where the var should come from (POST, GET, FILES, COOKIE, METHOD) 307 * @param integer $mask Filter mask for the variable 308 * 309 * @return string Requested variable 310 * 311 * @since 1.5 312 * @deprecated 1.7 313 */ 314 public static function getString($name, $default = '', $hash = 'default', $mask = 0) 315 { 316 // Cast to string, in case JREQUEST_ALLOWRAW was specified for mask 317 return (string) self::getVar($name, $default, $hash, 'string', $mask); 318 } 319 320 /** 321 * Set a variable in one of the request variables. 322 * 323 * @param string $name Name 324 * @param string $value Value 325 * @param string $hash Hash 326 * @param boolean $overwrite Boolean 327 * 328 * @return string Previous value 329 * 330 * @since 1.5 331 * @deprecated 1.7 332 */ 333 public static function setVar($name, $value = null, $hash = 'method', $overwrite = true) 334 { 335 // If overwrite is true, makes sure the variable hasn't been set yet 336 if (!$overwrite && array_key_exists($name, $_REQUEST)) 337 { 338 return $_REQUEST[$name]; 339 } 340 341 // Clean global request var 342 $GLOBALS['_JREQUEST'][$name] = array(); 343 344 // Get the request hash value 345 $hash = strtoupper($hash); 346 347 if ($hash === 'METHOD') 348 { 349 $hash = strtoupper($_SERVER['REQUEST_METHOD']); 350 } 351 352 $previous = array_key_exists($name, $_REQUEST) ? $_REQUEST[$name] : null; 353 354 switch ($hash) 355 { 356 case 'GET': 357 $_GET[$name] = $value; 358 $_REQUEST[$name] = $value; 359 break; 360 case 'POST': 361 $_POST[$name] = $value; 362 $_REQUEST[$name] = $value; 363 break; 364 case 'COOKIE': 365 $_COOKIE[$name] = $value; 366 $_REQUEST[$name] = $value; 367 break; 368 case 'FILES': 369 $_FILES[$name] = $value; 370 break; 371 case 'ENV': 372 $_ENV[$name] = $value; 373 break; 374 case 'SERVER': 375 $_SERVER[$name] = $value; 376 break; 377 } 378 379 // Mark this variable as 'SET' 380 $GLOBALS['_JREQUEST'][$name]['SET.' . $hash] = true; 381 $GLOBALS['_JREQUEST'][$name]['SET.REQUEST'] = true; 382 383 return $previous; 384 } 385 386 /** 387 * Fetches and returns a request array. 388 * 389 * The default behaviour is fetching variables depending on the 390 * current request method: GET and HEAD will result in returning 391 * $_GET, POST and PUT will result in returning $_POST. 392 * 393 * You can force the source by setting the $hash parameter: 394 * 395 * post $_POST 396 * get $_GET 397 * files $_FILES 398 * cookie $_COOKIE 399 * env $_ENV 400 * server $_SERVER 401 * method via current $_SERVER['REQUEST_METHOD'] 402 * default $_REQUEST 403 * 404 * @param string $hash to get (POST, GET, FILES, METHOD). 405 * @param integer $mask Filter mask for the variable. 406 * 407 * @return mixed Request hash. 408 * 409 * @since 1.5 410 * @deprecated 1.7 Use JInput::get() 411 * @see JInput 412 */ 413 public static function get($hash = 'default', $mask = 0) 414 { 415 $hash = strtoupper($hash); 416 417 if ($hash === 'METHOD') 418 { 419 $hash = strtoupper($_SERVER['REQUEST_METHOD']); 420 } 421 422 switch ($hash) 423 { 424 case 'GET': 425 $input = $_GET; 426 break; 427 428 case 'POST': 429 $input = $_POST; 430 break; 431 432 case 'FILES': 433 $input = $_FILES; 434 break; 435 436 case 'COOKIE': 437 $input = $_COOKIE; 438 break; 439 440 case 'ENV': 441 $input = &$_ENV; 442 break; 443 444 case 'SERVER': 445 $input = &$_SERVER; 446 break; 447 448 default: 449 $input = $_REQUEST; 450 break; 451 } 452 453 return self::_cleanVar($input, $mask); 454 } 455 456 /** 457 * Sets a request variable. 458 * 459 * @param array $array An associative array of key-value pairs. 460 * @param string $hash The request variable to set (POST, GET, FILES, METHOD). 461 * @param boolean $overwrite If true and an existing key is found, the value is overwritten, otherwise it is ignored. 462 * 463 * @return void 464 * 465 * @since 1.5 466 * @deprecated 1.7 Use JInput::set() 467 */ 468 public static function set($array, $hash = 'default', $overwrite = true) 469 { 470 foreach ($array as $key => $value) 471 { 472 self::setVar($key, $value, $hash, $overwrite); 473 } 474 } 475 476 /** 477 * Checks for a form token in the request. 478 * 479 * Use in conjunction with JHtml::_('form.token'). 480 * 481 * @param string $method The request method in which to look for the token key. 482 * 483 * @return boolean True if found and valid, false otherwise. 484 * 485 * @since 1.5 486 * @deprecated 1.7 Use JSession::checkToken() instead. Note that 'default' has to become 'request'. 487 */ 488 public static function checkToken($method = 'post') 489 { 490 if ($method === 'default') 491 { 492 $method = 'request'; 493 } 494 495 return JSession::checkToken($method); 496 } 497 498 /** 499 * Clean up an input variable. 500 * 501 * @param mixed $var The input variable. 502 * @param integer $mask Filter bit mask. 503 * 1 = no trim: If this flag is cleared and the input is a string, the string will have leading and trailing 504 * whitespace trimmed. 505 * 2 = allow_raw: If set, no more filtering is performed, higher bits are ignored. 506 * 4 = allow_html: HTML is allowed, but passed through a safe HTML filter first. If set, no more filtering 507 * is performed. If no bits other than the 1 bit is set, a strict filter is applied. 508 * @param string $type The variable type {@see JFilterInput::clean()}. 509 * 510 * @return mixed Same as $var 511 * 512 * @since 1.5 513 * @deprecated 1.7 514 */ 515 protected static function _cleanVar($var, $mask = 0, $type = null) 516 { 517 $mask = (int) $mask; 518 519 // If the no trim flag is not set, trim the variable 520 if (!($mask & 1) && is_string($var)) 521 { 522 $var = trim($var); 523 } 524 525 // Now we handle input filtering 526 if ($mask & 2) 527 { 528 // If the allow raw flag is set, do not modify the variable 529 } 530 elseif ($mask & 4) 531 { 532 // If the allow HTML flag is set, apply a safe HTML filter to the variable 533 $safeHtmlFilter = JFilterInput::getInstance(null, null, 1, 1); 534 $var = $safeHtmlFilter->clean($var, $type); 535 } 536 else 537 { 538 // Since no allow flags were set, we will apply the most strict filter to the variable 539 // $tags, $attr, $tag_method, $attr_method, $xss_auto use defaults. 540 $noHtmlFilter = JFilterInput::getInstance(); 541 $var = $noHtmlFilter->clean($var, $type); 542 } 543 544 return $var; 545 } 546} 547