1<?php
2/**
3 * @package     Joomla.Legacy
4 * @subpackage  Request
5 *
6 * @copyright   Copyright (C) 2005 - 2020 Open Source Matters, Inc. All rights reserved.
7 * @license     GNU General Public License version 2 or later; see LICENSE.txt
8 */
9
10defined('JPATH_PLATFORM') or die;
11
12/**
13 * Create the request global object
14 */
15$GLOBALS['_JREQUEST'] = array();
16
17/**
18 * Set the available masks for cleaning variables
19 */
20const JREQUEST_NOTRIM    = 1;
21const JREQUEST_ALLOWRAW  = 2;
22const JREQUEST_ALLOWHTML = 4;
23
24JLog::add('JRequest is deprecated.', JLog::WARNING, 'deprecated');
25
26/**
27 * JRequest Class
28 *
29 * This class serves to provide the Joomla Platform with a common interface to access
30 * request variables.  This includes $_POST, $_GET, and naturally $_REQUEST.  Variables
31 * can be passed through an input filter to avoid injection or returned raw.
32 *
33 * @since       1.5
34 * @deprecated  1.7 Get the JInput object from the application instead
35 */
36class JRequest
37{
38	/**
39	 * Gets the full request path.
40	 *
41	 * @return  string
42	 *
43	 * @since   1.5
44	 * @deprecated  1.7
45	 */
46	public static function getUri()
47	{
48		$uri = JUri::getInstance();
49
50		return $uri->toString(array('path', 'query'));
51	}
52
53	/**
54	 * Gets the request method.
55	 *
56	 * @return  string
57	 *
58	 * @since   1.5
59	 * @deprecated  1.7 Use JInput::getMethod() instead
60	 */
61	public static function getMethod()
62	{
63		return strtoupper($_SERVER['REQUEST_METHOD']);
64	}
65
66	/**
67	 * Fetches and returns a given variable.
68	 *
69	 * The default behaviour is fetching variables depending on the
70	 * current request method: GET and HEAD will result in returning
71	 * an entry from $_GET, POST and PUT will result in returning an
72	 * entry from $_POST.
73	 *
74	 * You can force the source by setting the $hash parameter:
75	 *
76	 * post    $_POST
77	 * get     $_GET
78	 * files   $_FILES
79	 * cookie  $_COOKIE
80	 * env     $_ENV
81	 * server  $_SERVER
82	 * method  via current $_SERVER['REQUEST_METHOD']
83	 * default $_REQUEST
84	 *
85	 * @param   string   $name     Variable name.
86	 * @param   mixed    $default  Default value if the variable does not exist.
87	 * @param   string   $hash     Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
88	 * @param   string   $type     Return type for the variable, for valid values see {@link JFilterInput::clean()}.
89	 * @param   integer  $mask     Filter mask for the variable.
90	 *
91	 * @return  mixed  Requested variable.
92	 *
93	 * @since   1.5
94	 * @deprecated  1.7  Use JInput::get()
95	 */
96	public static function getVar($name, $default = null, $hash = 'default', $type = 'none', $mask = 0)
97	{
98		// Ensure hash and type are uppercase
99		$hash = strtoupper($hash);
100
101		if ($hash === 'METHOD')
102		{
103			$hash = strtoupper($_SERVER['REQUEST_METHOD']);
104		}
105
106		$type = strtoupper($type);
107		$sig = $hash . $type . $mask;
108
109		// Get the input hash
110		switch ($hash)
111		{
112			case 'GET':
113				$input = &$_GET;
114				break;
115			case 'POST':
116				$input = &$_POST;
117				break;
118			case 'FILES':
119				$input = &$_FILES;
120				break;
121			case 'COOKIE':
122				$input = &$_COOKIE;
123				break;
124			case 'ENV':
125				$input = &$_ENV;
126				break;
127			case 'SERVER':
128				$input = &$_SERVER;
129				break;
130			default:
131				$input = &$_REQUEST;
132				$hash = 'REQUEST';
133				break;
134		}
135
136		if (isset($GLOBALS['_JREQUEST'][$name]['SET.' . $hash]) && ($GLOBALS['_JREQUEST'][$name]['SET.' . $hash] === true))
137		{
138			// Get the variable from the input hash
139			$var = (isset($input[$name]) && $input[$name] !== null) ? $input[$name] : $default;
140			$var = self::_cleanVar($var, $mask, $type);
141		}
142		elseif (!isset($GLOBALS['_JREQUEST'][$name][$sig]))
143		{
144			if (isset($input[$name]))
145			{
146				// Get the variable from the input hash and clean it
147				$var = self::_cleanVar($input[$name], $mask, $type);
148
149				$GLOBALS['_JREQUEST'][$name][$sig] = $var;
150			}
151			elseif ($default !== null)
152			{
153				// Clean the default value
154				$var = self::_cleanVar($default, $mask, $type);
155			}
156			else
157			{
158				$var = $default;
159			}
160		}
161		else
162		{
163			$var = $GLOBALS['_JREQUEST'][$name][$sig];
164		}
165
166		return $var;
167	}
168
169	/**
170	 * Fetches and returns a given filtered variable. The integer
171	 * filter will allow only digits and the - sign to be returned. This is currently
172	 * only a proxy function for getVar().
173	 *
174	 * See getVar() for more in-depth documentation on the parameters.
175	 *
176	 * @param   string   $name     Variable name.
177	 * @param   integer  $default  Default value if the variable does not exist.
178	 * @param   string   $hash     Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
179	 *
180	 * @return  integer  Requested variable.
181	 *
182	 * @since   1.5
183	 * @deprecated  1.7
184	 */
185	public static function getInt($name, $default = 0, $hash = 'default')
186	{
187		return self::getVar($name, $default, $hash, 'int');
188	}
189
190	/**
191	 * Fetches and returns a given filtered variable. The unsigned integer
192	 * filter will allow only digits to be returned. This is currently
193	 * only a proxy function for getVar().
194	 *
195	 * See getVar() for more in-depth documentation on the parameters.
196	 *
197	 * @param   string   $name     Variable name.
198	 * @param   integer  $default  Default value if the variable does not exist.
199	 * @param   string   $hash     Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
200	 *
201	 * @return  integer  Requested variable.
202	 *
203	 * @since   1.7
204	 * @deprecated  1.7
205	 */
206	public static function getUInt($name, $default = 0, $hash = 'default')
207	{
208		return self::getVar($name, $default, $hash, 'uint');
209	}
210
211	/**
212	 * Fetches and returns a given filtered variable.  The float
213	 * filter only allows digits and periods.  This is currently
214	 * only a proxy function for getVar().
215	 *
216	 * See getVar() for more in-depth documentation on the parameters.
217	 *
218	 * @param   string  $name     Variable name.
219	 * @param   float   $default  Default value if the variable does not exist.
220	 * @param   string  $hash     Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
221	 *
222	 * @return  float  Requested variable.
223	 *
224	 * @since   1.5
225	 * @deprecated  1.7
226	 */
227	public static function getFloat($name, $default = 0.0, $hash = 'default')
228	{
229		return self::getVar($name, $default, $hash, 'float');
230	}
231
232	/**
233	 * Fetches and returns a given filtered variable. The bool
234	 * filter will only return true/false bool values. This is
235	 * currently only a proxy function for getVar().
236	 *
237	 * See getVar() for more in-depth documentation on the parameters.
238	 *
239	 * @param   string   $name     Variable name.
240	 * @param   boolean  $default  Default value if the variable does not exist.
241	 * @param   string   $hash     Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
242	 *
243	 * @return  boolean  Requested variable.
244	 *
245	 * @since   1.5
246	 * @deprecated  1.7
247	 */
248	public static function getBool($name, $default = false, $hash = 'default')
249	{
250		return self::getVar($name, $default, $hash, 'bool');
251	}
252
253	/**
254	 * Fetches and returns a given filtered variable. The word
255	 * filter only allows the characters [A-Za-z_]. This is currently
256	 * only a proxy function for getVar().
257	 *
258	 * See getVar() for more in-depth documentation on the parameters.
259	 *
260	 * @param   string  $name     Variable name.
261	 * @param   string  $default  Default value if the variable does not exist.
262	 * @param   string  $hash     Where the var should come from (POST, GET, FILES, COOKIE, METHOD).
263	 *
264	 * @return  string  Requested variable.
265	 *
266	 * @since   1.5
267	 * @deprecated  1.7
268	 */
269	public static function getWord($name, $default = '', $hash = 'default')
270	{
271		return self::getVar($name, $default, $hash, 'word');
272	}
273
274	/**
275	 * Cmd (Word and Integer) filter
276	 *
277	 * Fetches and returns a given filtered variable. The cmd
278	 * filter only allows the characters [A-Za-z0-9.-_]. This is
279	 * currently only a proxy function for getVar().
280	 *
281	 * See getVar() for more in-depth documentation on the parameters.
282	 *
283	 * @param   string  $name     Variable name
284	 * @param   string  $default  Default value if the variable does not exist
285	 * @param   string  $hash     Where the var should come from (POST, GET, FILES, COOKIE, METHOD)
286	 *
287	 * @return  string  Requested variable
288	 *
289	 * @since   1.5
290	 * @deprecated  1.7
291	 */
292	public static function getCmd($name, $default = '', $hash = 'default')
293	{
294		return self::getVar($name, $default, $hash, 'cmd');
295	}
296
297	/**
298	 * Fetches and returns a given filtered variable. The string
299	 * filter deletes 'bad' HTML code, if not overridden by the mask.
300	 * This is currently only a proxy function for getVar().
301	 *
302	 * See getVar() for more in-depth documentation on the parameters.
303	 *
304	 * @param   string   $name     Variable name
305	 * @param   string   $default  Default value if the variable does not exist
306	 * @param   string   $hash     Where the var should come from (POST, GET, FILES, COOKIE, METHOD)
307	 * @param   integer  $mask     Filter mask for the variable
308	 *
309	 * @return  string   Requested variable
310	 *
311	 * @since   1.5
312	 * @deprecated  1.7
313	 */
314	public static function getString($name, $default = '', $hash = 'default', $mask = 0)
315	{
316		// Cast to string, in case JREQUEST_ALLOWRAW was specified for mask
317		return (string) self::getVar($name, $default, $hash, 'string', $mask);
318	}
319
320	/**
321	 * Set a variable in one of the request variables.
322	 *
323	 * @param   string   $name       Name
324	 * @param   string   $value      Value
325	 * @param   string   $hash       Hash
326	 * @param   boolean  $overwrite  Boolean
327	 *
328	 * @return  string   Previous value
329	 *
330	 * @since   1.5
331	 * @deprecated  1.7
332	 */
333	public static function setVar($name, $value = null, $hash = 'method', $overwrite = true)
334	{
335		// If overwrite is true, makes sure the variable hasn't been set yet
336		if (!$overwrite && array_key_exists($name, $_REQUEST))
337		{
338			return $_REQUEST[$name];
339		}
340
341		// Clean global request var
342		$GLOBALS['_JREQUEST'][$name] = array();
343
344		// Get the request hash value
345		$hash = strtoupper($hash);
346
347		if ($hash === 'METHOD')
348		{
349			$hash = strtoupper($_SERVER['REQUEST_METHOD']);
350		}
351
352		$previous = array_key_exists($name, $_REQUEST) ? $_REQUEST[$name] : null;
353
354		switch ($hash)
355		{
356			case 'GET':
357				$_GET[$name] = $value;
358				$_REQUEST[$name] = $value;
359				break;
360			case 'POST':
361				$_POST[$name] = $value;
362				$_REQUEST[$name] = $value;
363				break;
364			case 'COOKIE':
365				$_COOKIE[$name] = $value;
366				$_REQUEST[$name] = $value;
367				break;
368			case 'FILES':
369				$_FILES[$name] = $value;
370				break;
371			case 'ENV':
372				$_ENV[$name] = $value;
373				break;
374			case 'SERVER':
375				$_SERVER[$name] = $value;
376				break;
377		}
378
379		// Mark this variable as 'SET'
380		$GLOBALS['_JREQUEST'][$name]['SET.' . $hash] = true;
381		$GLOBALS['_JREQUEST'][$name]['SET.REQUEST'] = true;
382
383		return $previous;
384	}
385
386	/**
387	 * Fetches and returns a request array.
388	 *
389	 * The default behaviour is fetching variables depending on the
390	 * current request method: GET and HEAD will result in returning
391	 * $_GET, POST and PUT will result in returning $_POST.
392	 *
393	 * You can force the source by setting the $hash parameter:
394	 *
395	 * post     $_POST
396	 * get      $_GET
397	 * files    $_FILES
398	 * cookie   $_COOKIE
399	 * env      $_ENV
400	 * server   $_SERVER
401	 * method   via current $_SERVER['REQUEST_METHOD']
402	 * default  $_REQUEST
403	 *
404	 * @param   string   $hash  to get (POST, GET, FILES, METHOD).
405	 * @param   integer  $mask  Filter mask for the variable.
406	 *
407	 * @return  mixed    Request hash.
408	 *
409	 * @since   1.5
410	 * @deprecated  1.7  Use JInput::get()
411	 * @see     JInput
412	 */
413	public static function get($hash = 'default', $mask = 0)
414	{
415		$hash = strtoupper($hash);
416
417		if ($hash === 'METHOD')
418		{
419			$hash = strtoupper($_SERVER['REQUEST_METHOD']);
420		}
421
422		switch ($hash)
423		{
424			case 'GET':
425				$input = $_GET;
426				break;
427
428			case 'POST':
429				$input = $_POST;
430				break;
431
432			case 'FILES':
433				$input = $_FILES;
434				break;
435
436			case 'COOKIE':
437				$input = $_COOKIE;
438				break;
439
440			case 'ENV':
441				$input = &$_ENV;
442				break;
443
444			case 'SERVER':
445				$input = &$_SERVER;
446				break;
447
448			default:
449				$input = $_REQUEST;
450				break;
451		}
452
453		return self::_cleanVar($input, $mask);
454	}
455
456	/**
457	 * Sets a request variable.
458	 *
459	 * @param   array    $array      An associative array of key-value pairs.
460	 * @param   string   $hash       The request variable to set (POST, GET, FILES, METHOD).
461	 * @param   boolean  $overwrite  If true and an existing key is found, the value is overwritten, otherwise it is ignored.
462	 *
463	 * @return  void
464	 *
465	 * @since   1.5
466	 * @deprecated  1.7  Use JInput::set()
467	 */
468	public static function set($array, $hash = 'default', $overwrite = true)
469	{
470		foreach ($array as $key => $value)
471		{
472			self::setVar($key, $value, $hash, $overwrite);
473		}
474	}
475
476	/**
477	 * Checks for a form token in the request.
478	 *
479	 * Use in conjunction with JHtml::_('form.token').
480	 *
481	 * @param   string  $method  The request method in which to look for the token key.
482	 *
483	 * @return  boolean  True if found and valid, false otherwise.
484	 *
485	 * @since   1.5
486	 * @deprecated  1.7 Use JSession::checkToken() instead. Note that 'default' has to become 'request'.
487	 */
488	public static function checkToken($method = 'post')
489	{
490		if ($method === 'default')
491		{
492			$method = 'request';
493		}
494
495		return JSession::checkToken($method);
496	}
497
498	/**
499	 * Clean up an input variable.
500	 *
501	 * @param   mixed    $var   The input variable.
502	 * @param   integer  $mask  Filter bit mask.
503	 *                           1 = no trim: If this flag is cleared and the input is a string, the string will have leading and trailing
504	 *                               whitespace trimmed.
505	 *                           2 = allow_raw: If set, no more filtering is performed, higher bits are ignored.
506	 *                           4 = allow_html: HTML is allowed, but passed through a safe HTML filter first. If set, no more filtering
507	 *                               is performed. If no bits other than the 1 bit is set, a strict filter is applied.
508	 * @param   string   $type  The variable type {@see JFilterInput::clean()}.
509	 *
510	 * @return  mixed  Same as $var
511	 *
512	 * @since   1.5
513	 * @deprecated  1.7
514	 */
515	protected static function _cleanVar($var, $mask = 0, $type = null)
516	{
517		$mask = (int) $mask;
518
519		// If the no trim flag is not set, trim the variable
520		if (!($mask & 1) && is_string($var))
521		{
522			$var = trim($var);
523		}
524
525		// Now we handle input filtering
526		if ($mask & 2)
527		{
528			// If the allow raw flag is set, do not modify the variable
529		}
530		elseif ($mask & 4)
531		{
532			// If the allow HTML flag is set, apply a safe HTML filter to the variable
533			$safeHtmlFilter = JFilterInput::getInstance(null, null, 1, 1);
534			$var = $safeHtmlFilter->clean($var, $type);
535		}
536		else
537		{
538			// Since no allow flags were set, we will apply the most strict filter to the variable
539			// $tags, $attr, $tag_method, $attr_method, $xss_auto use defaults.
540			$noHtmlFilter = JFilterInput::getInstance();
541			$var = $noHtmlFilter->clean($var, $type);
542		}
543
544		return $var;
545	}
546}
547