glFusion Wiki

Site Tools



(glFusion SVN)

getVar – Retrieves a $_POST, $_GET, $_REQUEST, $_ENV, or $_COOKIE variable.


getVar ( $type, $key, $mode, $default)

Retrieves a $_POST, $_GET, $_REQUEST, $_ENV, or $_COOKIE variable.



Type of data to retrieve:
  * HTML
  * RAW
  * URL
  * SQL
Type Filtering Description
INTEGER The data returned will be numeric, if non-numeric data is found (i.e.; ABC) 0 will be returned
FLOAT The data returned will be numeric, of type float. If non-numeric data is found, 0 will be returned
STRICT Data will be stripped of any tags (i.e.; <script>)
Data will be stripped of any JavaScript
The following characters will terminate the string (' “ ` ; , \)
PLAIN The data will be stripped of any tags (i.e.; <script>)
All HTML characters will be translated to their corresponding HTML entities
HTML The data will be filtered through the HTML Filter
RAW No data filtering is performed
BOOLEAN Always returns a 0 or 1
URL URL is checked to ensure the protocol (i.e.; http or ftp) is allowed
SQL Data is escaped and prepared for use in SQL query
FILENAME Any .. are removed from the filename, only a-z, 0-9, A-Z, and _ (underscore) are allowed in the filename


Array key in the $_POST, $_GET, $_REQUEST, $_COOKIE, $_ENV space


Type of data; post, get, request, env, cookie. Must specify in
order of precedence. This can be an array i.e.; array('get',
'post') would check $_GET first, if not found then it would 
check $_POST.


Default value to return if key not found in data array.

Return Value

This will return the first item found when passing an array of modes. If you pass array('get','post') and the $_GET variable is set, the $_GET variable will be returned.

Data type of the return value will depend on the type requested.


$mode = $inputHandler->getVar('strict','mode','get','');
if ( $mode == 'save' ) {
  ... do stuff here ...

This function retrieves the value for $_GET['mode'].  
If the variable is not set, the default value of '' 
is returned.
$comment = $inputHandler->getVar('plain','comment','post','');

This example retrieves the value of $_POST['comment'].  
Using type of plain, the data is treated as plain text, 
so all script tags are removed and all HTML characters
are translated to their HTML entity equivalent. If the 
following data was posted:

This is my comment text. 
Here is an image <img src="image.gif">
I'm going to embed a XSS attack! <script>alert('xss');</script>

The following would be returned:

This is my comment text.
Here is an image &lt;img src="image.gif"&gt;
I'm going to embed a XSS attach alert('xss');

Notice the < and > were translated to &lt; and &gt; and 
the <script></script> tags were removed.


getVar automatically calls the PHP function stripslashes() if get_magic_quotes_gpc is enabled.

See Also

glfusion/development/api/sanitize_class/getvar.txt · Last modified: 2016/10/09 15:10 (external edit)