Function.request var

request_var –– Get passed variables from $_GET, $_POST, or $_COOKIE

Description
Input variables provided to the script via the GET, POST, and COOKIE input mechanisms, cannot be trusted. Make use of the request_var function for anything except for submit or single checking params. The request_var function determines the type (see type casting) to set from the second parameter (which determines the default value as well). If you need to get a scalar variable type, you need to tell this to the request_var function explicitly.
 * 1) mixed request_var ( $var_name, $default [, $multibyte [, $cookie ]] )

Return Values
Mixed - Returns the value from the requested variable if set, otherwise, returns the value of the default parameter, returned variable is type casted to the default parameter.

Example #1 Old method, do not use it
This was the method used within phpBB2; it is no longer valid within phpBB3. $start = (isset($HTTP_GET_VARS['start'])) ? intval($HTTP_GET_VARS['start']) : intval($HTTP_POST_VARS['start']); $submit = (isset($HTTP_POST_VARS['submit'])) ? true : false;

Example #2 set default and type cast to integer
Use request var and define a default variable (use the correct type) $start = request_var('start', 0);

// because we only determine if the variable isset, and only a $_POST variable, this is permitted $submit = (isset($_POST['submit'])) ? true : false;

Example #3 Incorrectly setting variable type
Because $start is an int, the following use of request_var is not allowed. This is a common mistake and could result in an SQL Injection if the variable is expected to be an integer and is inserted into a Database Query without proper sanitisation. $start = request_var('start', '0');

Example #4 Getting Arrays - key and value casted to int
Getting an array, keys are integers, value defaults to 0 $mark_array = request_var('mark', array(0));

Example #5 Getting Arrays - key casted to string, value to int
Getting an array, keys are strings, value defaults to 0 $action_ary = request_var('action', array('' => 0));

Example #6 Getting Multidimensional Arrays
Getting a multidimension array (down to 2 levels) with all keys and values casted to strings. phpBB 3.0.x request_var function only supports a multidimensional array to a maximum of 2 levels deep. $attr_auths = request_var('attr_auths', array(  => array(		 => ''	) ));

Example #7 Getting Multidimensional Arrays - cast and specify keys
Getting a multidimension array of 2 levels deep. The first level has the keys casted to int and the values casted to array, inside that array (second level) the keys are casted to strings and the values to int. Please note that the function request_var in phpBB 3.0.x only supports a multidimensional array to a maximum of 2 levels deep. $attr_auths = request_var('attr_auths', array( 0 => array(		'forum_id' => 0,		'group_id' => 0	) ));

Example #8 Getting Multibyte chars
Requesting a multibyte string $message = utf8_normalize_nfc(request_var('message', '', true));

Example #9 Getting a Decimal (float)
Requesting a float variable -- also known as a double or decimal $price = request_var('price', 0.0);

Example #10 Getting variables from a cookie
To get a variable that is held in a cookie you'll have to set the fourth parameter to true $cookie = request_var('cookie_time', 0, false, true);

request_var does not automatically prefix the board cookie name, use the following code to get board cookies: $cookie = request_var($config['cookie_name'] . '_cookie_name', 0, false, true);

Unicode (UTF-8) Support

 * With request_var you can either allow all UCS characters in user input or restrict user input to ASCII characters. This feature is controlled by the function's third parameter called $multibyte. You should allow multibyte characters in posts, PMs, topic titles, forum names, etc. but it's not necessary for internal uses like a $mode variable which should only hold a predefined list of ASCII strings anyway.

Unicode Normalisation

 * If you retrieve user input with multibyte characters you should additionally normalize the string using utf8_normalize_nfc before you work with it. This is necessary to make sure that equal characters can only occur in one particular binary representation. For example the character Å can be represented either as U+00C5 (LATIN CAPITAL LETTER A WITH RING ABOVE) or as U+212B (ANGSTROM SIGN). phpBB uses Normalization Form Canonical Composition (NFC) for all text. So the correct version of the above example would look like this: $_REQUEST['multibyte_string'] = 'Käse';

// normalize multibyte strings echo utf8_normalize_nfc(request_var('multibyte_string', '', true)); // ASCII strings do not need to be normalized echo request_var('multibyte_string', '');