vBulletin Manual - $_GET / $_POST / $

In order to insure that data is in the expected format, the following PHP Superglobal arrays are not to be accessed directly under most situations:

$_GET
$_POST
$_REQUEST
$_COOKIE
$_FILES

The only direct access to these variables is with $_POST['do'] and $_GET['do'], which is used as the controlling variable for deciding which branch of a script is executed. There may also exist very specific cases where direct access is required but should be avoided if at all possible. Do not use $_GET / $_POST / $_REQUEST etc. variables in templates.

clean_gpc() and clean_array_gpc(), members of the vBulletin input class are used to sanitize all user submitted data.

Valid data types are:

TYPE_BOOL - Boolean
TYPE_INT - Integer
TYPE_UINT - Unsigned Integer
TYPE_NUM - Floating Point Number
TYPE_UNUM - Unsigned Floating Point Number
TYPE_UNIXTIME - Unix Timestamp (Unsigned Integer)
TYPE_STR - Trimmed String (No leading or trailing whitespace)
TYPE_NOTRIM - String
TYPE_NOHTML - Trimmed String sent through htmlspecialchars_uni()
TYPE_ARRAY - Array
TYPE_FILE - File
TYPE_NOCLEAN - Unvalidated

Each of the data types other than TYPE_NOCLEAN, also have a corresponding Array data type that forces an array of that data type, e.g. TYPE_ARRAY_BOOL.

Sanitized values are accessed via the $vbulletin->GPC array using the value's field name as the array index, e.g. $vbulletin->GPC['field1']. You can be sure that the value in the $vbulletin->GPC array is of the type specified, no matter what may have originally been defined in the Superglobal array. For example, if you specify TYPE_NOHTML, you can display that variable directly in HTML without worrying about it being HTML safe.

The first parameter to both clean_gpc() and clean_array_gpc(), is the first letter initial of the Superglobal array that you are sanitizing the value from. You can only sanitize values from one Superglobal array with any single call to clean_array_gpc() or clean_gpc(). You can not clean values from $_COOKIE and $_POST with the same call, you have to make multiple calls. All of the values will end up in the same $vbulletin->GPC array so insure field names do not overlap.

Note:

$_COOKIE values must be accessed using the COOKIE_PREFIX:

$vbulletin->input->clean_gpc('c', COOKIE_PREFIX . 'forum_view', TYPE_STR);
$foo = $vbulletin->GPC[COOKIE_PREFIX . 'forum_view'];

$db->query_write("
    UPDATE " . TABLE_PREFIX . "table SET
        field_one = '" . $db->escape_string(trim($_POST['field_one'])) . "',
        field_two = '" . $db->escape_string(htmlspecialchars_uni(trim($_POST['field_two']))) . "'
    WHERE key_field = " . intval($_POST['key_field') . "
");

$vbulletin->input->clean_array_gpc('p', array(
    'field_one' => TYPE_STR,
    'field_two' => TYPE_NOHTML,
    'key_field' => TYPE_INT
));

/* This value can be accessed either by $cleanedvar or $vbulletin->GPC['field_one'] */
$cleanedvar =& $vbulletin->input->clean_gpc('p', 'field_one', TYPE_STR);

$db->query_write("
    UPDATE " . TABLE_PREFIX . "table SET
        field_one = '" . $db->escape_string($vbulletin->GPC['field_one']) . "',
        field_two = '" . $db->escape_string($vbulletin->GPC['field_two']) . "',
    WHERE key_field = " . $vbulletin->GPC['key_field'] . "
");