The _request()
function is used to retrieve the values of variables sent by the site visitor, either through a URL or through a posted form.
$name = _request('name');
Security principles
These functions must not be located just anywhere amongst the SPIP files, in order to be able to carefully restrict the possible locations likely to be targeted for pirating. The elements provided by user input must only be retrievable from
- action files (in the
action/
directory), - the private zone display files (in the
exec/
directory), - some very rare dynamic tag functions (in the
balise/
directory), or - in the files that process web forms (in the
formulaires/
directory).
As an additional general rule, it is necessary to verify that the variable type received is indeed in the expected format (to eliminate any risk of hacking, even if SPIP already performs a first level cleaning of input data): for example, if you expect a number, then you must apply the intval()
function (which will transform any text into its numeric value):
if ($identifiant = _request('identifier')){
$identifier = intval($identifier);
}
Retrieval from a table
If you want to retrieve only certain specific values that exist in a table, you can pass that table as a second parameter:
// retrieve if there is a $table['name']
$name = _request('name', $table);