One of the most important aspects of extension development is gathering input from the user and manipulating it in a meaningful way. Many times, you will collect data with a form and then store it into a database table. Other times, you will decide how to order or display information to the user based on the query string of the URL. In either instance, you are taking and acting upon input from the user. Obviously, you hope that your users have good intentions in using your extension, but unfortunately, the reality is that not everyone has your best interests in mind. For that reason, you must be careful about the input that you allow into your extension.
JRequest to the rescue!
Joomla!, of course, provides some excellent help when it comes to handling user input. The JRequest class is very useful in filtering your input to help protect against hacks such as Cross Site Scripting (XSS) and SQL Injection. If you are already familiar with PHP, you may be tempted to jump in and start working with raw request variables like $_POST and $_GET. Those will certainly still work in Joomla!, but you would be better off to let JRequest take care of the filtering for you.
Let's examine some of JRequest's basic usage:
## Grab 'id' from the $_GET array and ## force it to be an integer
$id = JRequest::getVar('id', '0', 'get', 'int');
Simply by forcing the data type, you can very easily prevent some types of attacks. For example:
JFilterInput::clean(). There are also a handful of shortcut functions for data type declaration (i.e., getBool(), getCmd(), getFloat(), getInt(), getString(), and getWord()).There are several other functions available in JRequest. The last two we will look at give you the ability to set request variables:
here. Read it and become familiar with it as this is one essential Joomla! library that you need to know.