joomla - JRequest::getVar('Variable') 在 joomla 中是否安全？

Question

我想知道 JRequest::getVar() 函数是否足以防止 sql 注入或 XSS，或者必须更好地使用其他一些东西来防止 joomla 站点中的 XSS 或 sql 注入。

Answer 1

Assuming you are developing for Joomla 2.5+, you are not supposed to use JRequest anymore as it's deprecated.

New way of getting request variables is like this:

$jinput = JFactory::getApplication()->input;
// expecting integer, default 0
$user_id = $jinput->post->get('user_id', 0, 'INT');
// expecting string, default empty string
$user_name = $jinput->post->get('user_name', '', 'STRING')

Third parameter for $jinput is filter, so if you know you want e.g. integer to be returned, set appropriate filter.

Note that for using JInput, magic quotes must be turned off.

To protect from sql injection, use

$db = JFactory::getDbo();
// $value is not safe
$value = $db->quote($value);

And against XSS

$filter = JFilterInput::getInstance();
// $value is not safe
$value = $filter->clean($value);

After reading your comments, I just want to add that there are no "bad characters" per se. Also, filtering against sql injection or xss is very different. For better understanding about filtering and escaping, reffer to The Great Escapism