- $_GET
- $_POST
- $_REQUEST
- $_COOKIE
- $_FILES
clean_gpc() and clean_array_gpc(), members of the vBulletin input class are used to sanitize all user submitted data.
Valid data types are:
- TYPE_BOOL - Boolean
- TYPE_INT - Integer
- TYPE_UINT - Unsigned Integer
- TYPE_NUM - Floating Point Number
- TYPE_UNUM - Unsigned Floating Point Number
- TYPE_UNIXTIME - Unix Timestamp (Unsigned Integer)
- TYPE_STR - Trimmed String (No leading or trailing whitespace)
- TYPE_NOTRIM - String
- TYPE_NOHTML - Trimmed String sent through htmlspecialchars_uni()
- TYPE_ARRAY - Array
- TYPE_FILE - File
- TYPE_NOCLEAN - Unvalidated
Sanitized values are accessed via the $vbulletin->GPC array using the value's field name as the array index, e.g. $vbulletin->GPC['field1']. You can be sure that the value in the $vbulletin->GPC array is of the type specified, no matter what may have originally been defined in the Superglobal array. For example, if you specify TYPE_NOHTML, you can display that variable directly in HTML without worrying about it being HTML safe.
The first parameter to both clean_gpc() and clean_array_gpc(), is the first letter initial of the Superglobal array that you are sanitizing the value from. You can only sanitize values from one Superglobal array with any single call to clean_array_gpc() or clean_gpc(). You can not clean values from $_COOKIE and $_POST with the same call, you have to make multiple calls. All of the values will end up in the same $vbulletin->GPC array so insure field names do not overlap.
Note:
$_COOKIE values must be accessed using the COOKIE_PREFIX:
$vbulletin->input->clean_gpc('c', COOKIE_PREFIX . 'forum_view', TYPE_STR);
$foo = $vbulletin->GPC[COOKIE_PREFIX . 'forum_view'];
$vbulletin->input->clean_gpc('c', COOKIE_PREFIX . 'forum_view', TYPE_STR);
$foo = $vbulletin->GPC[COOKIE_PREFIX . 'forum_view'];
$db->query_write(" UPDATE " . TABLE_PREFIX . "table SET field_one = '" . $db->escape_string(trim($_POST['field_one'])) . "', field_two = '" . $db->escape_string(htmlspecialchars_uni(trim($_POST['field_two']))) . "' WHERE key_field = " . intval($_POST['key_field') . " "); $vbulletin->input->clean_array_gpc('p', array( 'field_one' => TYPE_STR, 'field_two' => TYPE_NOHTML, 'key_field' => TYPE_INT )); /* This value can be accessed either by $cleanedvar or $vbulletin->GPC['field_one'] */ $cleanedvar =& $vbulletin->input->clean_gpc('p', 'field_one', TYPE_STR); $db->query_write(" UPDATE " . TABLE_PREFIX . "table SET field_one = '" . $db->escape_string($vbulletin->GPC['field_one']) . "', field_two = '" . $db->escape_string($vbulletin->GPC['field_two']) . "', WHERE key_field = " . $vbulletin->GPC['key_field'] . " ");