In order to insure that data is in the expected format, the following PHP Superglobal arrays are not to be accessed directly under most situations:The only direct access to these variables is with $_POST['do'] and $_GET['do'], which is used as the controlling variable for deciding which branch of a script is executed. There may also exist very specific cases where direct access is required but should be avoided if at all possible. Do not use $_GET / $_POST / $_REQUEST etc. variables in templates.

clean_gpc() and clean_array_gpc(), members of the vBulletin input class are used to sanitize all user submitted data.

Valid data types are:Each of the data types other than TYPE_NOCLEAN, also have a corresponding Array data type that forces an array of that data type, e.g. TYPE_ARRAY_BOOL.

Sanitized values are accessed via the $vbulletin->GPC array using the value's field name as the array index, e.g. $vbulletin->GPC['field1']. You can be sure that the value in the $vbulletin->GPC array is of the type specified, no matter what may have originally been defined in the Superglobal array. For example, if you specify TYPE_NOHTML, you can display that variable directly in HTML without worrying about it being HTML safe.

The first parameter to both clean_gpc() and clean_array_gpc(), is the first letter initial of the Superglobal array that you are sanitizing the value from. You can only sanitize values from one Superglobal array with any single call to clean_array_gpc() or clean_gpc(). You can not clean values from $_COOKIE and $_POST with the same call, you have to make multiple calls. All of the values will end up in the same $vbulletin->GPC array so insure field names do not overlap.
$_COOKIE values must be accessed using the COOKIE_PREFIX:

$vbulletin->input->clean_gpc('c', COOKIE_PREFIX . 'forum_view', TYPE_STR);
$foo = $vbulletin->GPC[COOKIE_PREFIX . 'forum_view'];
    UPDATE " . TABLE_PREFIX . "table SET
        field_one = '" . $db->escape_string(trim($_POST['field_one'])) . "',
        field_two = '" . $db->escape_string(htmlspecialchars_uni(trim($_POST['field_two']))) . "'
    WHERE key_field = " . intval($_POST['key_field') . "

$vbulletin->input->clean_array_gpc('p', array(
    'field_one' => TYPE_STR,
    'field_two' => TYPE_NOHTML,
    'key_field' => TYPE_INT

/* This value can be accessed either by $cleanedvar or $vbulletin->GPC['field_one'] */
$cleanedvar =& $vbulletin->input->clean_gpc('p', 'field_one', TYPE_STR);

    UPDATE " . TABLE_PREFIX . "table SET
        field_one = '" . $db->escape_string($vbulletin->GPC['field_one']) . "',
        field_two = '" . $db->escape_string($vbulletin->GPC['field_two']) . "',
    WHERE key_field = " . $vbulletin->GPC['key_field'] . "
Copyright © 2023 MH Sub I, LLC dba vBulletin. All rights reserved. vBulletin® is a registered trademark of MH Sub I, LLC dba vBulletin.