|Input Sanitization using JRequst|
|Web Development - Joomla|
|Friday, 29 May 2009 06:51|
Think about the most basic kind of web page you can create, static HTML. In this sense, you are not expecting any input (either from the user or via a link) to effect the output. This was the easy life back in the early days of the Internet, and life was good. Today, most websites are dynamic. This is most likely why you are using a CMS like Joomla. Now, you may not include any "interactive" features on your website, but the second you start using Joomla your site truly is interactive, because a dynamic site relies upon dynamic content. In most cases, you may (think that you) control the input, but there is really nothing stopping the user from changing the dynamic instructions you set.
Let's take simple example. You have a muli-page article. On the bottom of page one you have a link with a target like this
This may seem fairly obvious in today's world of XSS, CSRF, and other nasty acronyms. However, if you are writing Joomla components you must take this into account. As Joomla grows in popularity, hackers will be drawn to attack your code. Further compounding this issue is that most Joomla site owners know absolutely nothing about HTML never mind web security or procedures. That is why you must make your code as strict is possible - I know this if often very hard in a loose language such as PHP on which Joomla is built.
But alas, Joomla provides a great class that does a lot of the dirty work for you, JRequest.
JRequest Class DescriptionThis class serves to provide the Joomla Framework with a common interface to access request variables. This includes $_POST, $_GET, and naturally $_REQUEST. Variables can be passed through an input filter to avoid injection or returned raw.
The first thing we should look at here is the getVar method.
Here is the method prototype:
mixed getVar (string $name, [string $default = null], [string $hash = 'default'], [string $type = 'none'], int $mask)
So let's dissect this little beast. The first thing you specify is the variable name, this would be the key from the request hash. For example, if you wanted to get the value for
Saving keystrokes is always nice, especially considering my typo-prone digits. The next variable is the
The next parameter is the type. This is the datatype primitive that you are expecting and can be any of the following:
Most of those should seem familiar to you. ALNUM is a type defined as an alphanumeric string with the following regex
The last parameter
"Filter bit mask. 1=no trim: If this flag is cleared and the input is a string, the string will have leading and trailing whitespace trimmed. 2=allow_raw: If set, no more filtering is performed, higher bits are ignored. 4=allow_html: HTML is allowed, but passed through a safe HTML filter first. If set, no more filtering is performed. If no bits other than the 1 bit is set, a strict filter is applied."
A bit filter means you can specify multiple options at once via the magic of binary math. To see the processing, check the API.
Now, to add readability to your code, you can also use some proxy methods which will set the type for you, these include
Note that all of the accessors (the functions that start with "get") in JRequest are static, which means you can call them without creating an instance of the JRequest class.
In JRquest there is also one other method which is interesting when considering input sanitization, the
So now, onto some examples.
Given the following variable set:
*Note both hash and type will be converted to uppercase for you in their processing.
So by using JRequest you are on your way to securing your Joomla extensions from all sorts of nasty injections. If an when additional security flaws are found, it is likely that the Joomla team will fortify the code here, providing a single piece of code that needs to be fixed. By using JRequest you may lock yourself into Joomla-specific functionality, but it provides some forward-leaning code protection.
Good day, and good (secure) coding.